[Filebeat][Checkpoint module] data stream timestamp field [@timestamp] is missing

[bbs2web]

Hi,

I'm trying to ingest CheckPoint native Syslog exports of security gateway (firewall) logs. My understanding is that integration was previously via CEF, which did not pass through sufficient detail, but that the native syslog format was merged here: Checkpoint Syslog Filebeat module by P1llus · Pull Request #17682 · elastic/beats · GitHub

We had the following problem with CheckPoint R81 and continue to experience the same problem with the latest generally recommended version R81.10. We have configured the CheckPoint log exporter via SmartConsole, as follows:

Format is set as standard 'Syslog' format, which should include all the additional CheckPoint fields:

The problem we experiencing is that nothing is actually ingested, we receive the following error:

The input pipeline was automatically configured when we added the Check Point module to an Elastic Agent via Fleet. This input pipeline appears to refer to fields which Check Point don't appear to generate:

CheckPoint documentation for the description of fields in Check Point Logs does not include '@timestamp' or 'timestamp':
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

For confirmed bugs, please report:

• Version: 8.3.2
• Operating System: Debian 11 (bullseye)
• Discuss Forum URL: https://discuss.elastic.co/t/filebeat-checkpoint-module-data-stream-timestamp-field-timestamp-is-missing/309802
• Steps to Reproduce: Setup CheckPoint log ingestion using Elastic Agent and then configure CheckPoint log server to export logs via 'Syslog' format.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@bbs2web Are you able to provide the (suitably redacted) text of a failing log line or two?

[bbs2web]

Hi,

Herewith an archive containing 500+ scrubbed logs from a CheckPoint log export. This is the result of having run a CheckPoint native format to CSV (semi colon separated value file) and then having replaced IPs and names.

checkpoint-logs.csv.gz

[bbs2web]

Herewith a snippet of the uncompressed data:

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_id;ContentVersion;hll_key;SequenceNum;log_sys_message;ProductFamily;inzone;outzone;service_id;src;dst;proto;xlatesrc;xlatedst;NAT_rulenum;NAT_addtnl_rulenum;needs_browse_time;security_inzone;security_outzone;protocol;sig_id;user;src_user_name;src_machine_name;src_user_dn;snid;dst_user_name;dst_machine_name;dst_user_dn;UP_match_table_match_id;UP_match_table_layer_uuid;UP_match_table_layer_name;UP_match_table_rule_uid;UP_match_table_rule_name;tls_server_host_name;sni;certificate_validity;dst_dynobj_name;dst_domain_name;dst_uo_name;dst_uo_icon;dst_object_type;NAT_rule_uid;NAT_addtnl_rule_uid;context_num;service;s_port;xlatedport;xlatesport;duration;last_hit_time;update_count;creation_time;connection_count;aggregated_log_count;web_client_type;web_server_type;UP_match_2_app_table_match_id;UP_match_2_app_table_app_id;UP_primary_app_table_primary_app;UP_app_table_id;UP_app_table_name;UP_app_table_app_desc;UP_app_table_category;UP_app_table_matched_category;UP_app_table_properties;UP_app_table_risk;UP_app_table_sig_id;resource_table_resource;resource_table_method;referrer;user_agent;Log delay;src_dynobj_name;src_domain_name;src_uo_name;src_uo_icon;src_object_type;UP_action_table_action;rule_guid;hit;policy;first_hit_time;log_id;start_time;segment_time;elapsed;packets;bytes;client_inbound_packets;client_outbound_packets;server_inbound_packets;server_outbound_packets;client_inbound_bytes;client_outbound_bytes;server_inbound_bytes;server_outbound_bytes;client_inbound_interface;client_outbound_interface;server_inbound_interface;server_outbound_interface;Unauthorized_SNI;browse_time;UP_urlf_table_id;UP_urlf_table_name;UP_urlf_table_app_desc;UP_urlf_table_category;UP_urlf_table_matched_category;UP_urlf_table_properties;UP_urlf_table_risk;UP_urlf_table_sig_id;connection_luuid;status;short_desc;long_desc;scan_hosts_hour;scan_hosts_day;scan_hosts_week;unique_detected_hour;unique_detected_day;unique_detected_week;scan_mail;url_count;rule;rule_uid;rule_name;sub_policy_name;sub_policy_uid;email_control;email_session_id;information;email_id;from;to;email_recipients_num;reason;TCP packet out of state;tcp_flags;client_type_os;action_reason;ICMP;ICMP Type;ICMP Code;message_info;attack;Attack Info;Protection Name;Protection ID;Severity;Confidence Level;Industry Reference;Performance Impact;Protection Type;Description URL;packet_capture_unique_id;packet_capture_time;packet_capture_name;SmartDefense profile;policy_time;session_id;Source_OS;dst_country;malware_rule_id;malware_rule_name;resource;reject_id_kid;ser_agent_kid;server_kid;TP_match_table_layer_uuid;TP_match_table_layer_name;TP_match_table_malware_rule_id;TP_match_table_malware_rule_name;TP_match_table_SmartDefense profile;contract_name;db_ver;subs_exp;description;Update Status;subscription_stat;subscription_stat_desc;next_update_desc;client_name;client_version;client_build;domain_name;host_type;os_name;os_version;os_edition;os_service_pack;os_build;os_bits;browser;endpoint_ip;device_identification;latitude;longitude;MACSourceAddress;auth_status;identity_src;src_user_group;src_machine_group;auth_method;identity_type;Authentication trial;roles;version;comment;update_service;Suppressed logs;sent_bytes;received_bytes;certificate_resource;certificate_validation;failure_impact;termination_reason;fw_message;proxy_src_ip;http_location;content_type;content_disposition;requested_with;via;http_server;content_length;method;http_status;authorization;http_host;protocol_name;protection_id;Streaming Engine;rpc_prog;srckeyid;dstkeyid;encryption failure:;peer gateway;scheme:;methods:;reject_category;fw_subproduct;vpn_feature_name;dynamic object;change type;modify type;ip ranges;IKE:;CookieI;CookieR;msgid;IKE notification:;Certificate DN:;IKE IDs:;partner;community;system_application;cp_component_name;cp_component_version;package_action;operation_results;cvpn_category;event_type;auth_method2;auth_method3;login_option;failed_login_factor;failed_login_factor_num;user_dn;fingerprint;certificate_serial_number;certificate_issuer;user_group;hardware_model;session_timeout;login_timestamp;host_ip;office_mode_ip;tunnel_protocol;license;Suppressed_Logs;More;session_uid;mac_address;Hostname;auth_encryption_methods;message;vpn_user;old IP;old port;new IP;new port;DCE-RPC Interface UUID;note;connection_uid;blade_name;control_log_type;file_name;sys_message:;c_bytes;Last Rematch Time
0;17Jul2022;0:00:47;100.127.202.23;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-1;CN=Company_Log,O=Company_Server_1.company.com.gbu7jf;5;18446744073709551615;1;Log file has been switched to: 2022-07-17_000000.log;Network;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
1;16Jul2022;23:59:59;192.0.2.90;connection;accept;;eth0.11;inbound;VPN-1 & FireWall-1;0;1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;16666636505222387524;11;;Network;Internal;External;https;192.168.17.10;192.0.65.26;tcp;192.0.2.231;;54;0;1;InternalZone;;HTTPS;4;Joe Doe (joed)(+);Joe Doe (joed)(+);[email protected];CN=Joe Doe,OU=Users,OU=Company,DC=ad,DC=company,DC=com(+);;;[email protected];;48,16777269;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;e37a79cb-a37e-4de9-8a92-88bee71637d5,78e32861-3088-4576-8f45-e6a486277b29;9.40_._._Allow identified users,9.45_._._Cleanup rule;fluffy.company.com;fluffy.company.com;Trusted;;;Timbuktu;@app/cp_geo_ml;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;1;443;49240;;37732;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2;16Jul2022;23:59:59;192.0.2.90;account;accept;;eth0.10;outbound;VPN-1 & FireWall-1;6;1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;6056588561559531162;8;;Network;;;https_10051;192.168.20.14;192.0.65.26;tcp;192.0.2.231;;54;0;1;InternalZone;;HTTPS;4;;;[email protected];;;;[email protected];;40,16777239;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,5cf233d5-57f3-4745-ae4c-61e1af2bbd4b;9.32_._._Do not require authentication,9.15_._._Unauthenticated - Fluffy;192.0.65.26;;Untrusted;;;Timbuktu;@app/cp_geo_ml;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;1;10051;33722;;37733;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;16Jul2022 23:59:59;16Jul2022 23:59:59;0:00:00;30;6129;12;18;9;24;2590;3539;3539;2590;eth0.11;;;eth0.10;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3;16Jul2022;23:59:59;192.0.2.90;connection;accept;;eth0.11;inbound;VPN-1 & FireWall-1;0;1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;3250452641575952679;13;;Network;Internal;External;http;192.168.1.17;104.18.32.68;tcp;192.0.2.231;;54;0;;InternalZone;;HTTP;0;;;[email protected];;;;;;40,16777245;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,7446889b-e12d-4c9b-b839-70bb9c8d488f;9.32_._._Do not require authentication,9.21_._._Allow - Unauthenticated;;;;;;;;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;1;80;36497;;27561;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4;16Jul2022;23:59:59;192.0.2.90;connection;accept;;eth0.11;outbound;VPN-1 & FireWall-1;4;2;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;7361627382187237226;14;;Network;Internal;External;http;192.168.1.17;104.18.32.68;tcp;192.0.2.231;;54;0;;InternalZone;;HTTP;0;;;[email protected];;;;;;40,16777245;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,7446889b-e12d-4c9b-b839-70bb9c8d488f;9.32_._._Do not require authentication,9.21_._._Allow - Unauthenticated;;;;;;;;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;2;80;36497;;27561;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5;16Jul2022;23:59:59;192.0.2.90;session;accept;;eth0.11;inbound;Application Control;352;-1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;3250452641575952679;2;;Network;Internal;External;http;192.168.1.17;104.18.32.68;tcp;;;;;;;;HTTP;0;;;[email protected];;;;;;40,16777245;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,7446889b-e12d-4c9b-b839-70bb9c8d488f;9.32_._._Do not require authentication,9.21_._._Allow - Unauthenticated;;;;;;;;;;;;80;;;;3:00:00;17Jul2022  1:13:08;4;16Jul2022 23:59:59;2;3;Other: Microsoft-CryptoAPI/10.0;;16777245;60529026;60529026;60529026;Windows 10 Update;Windows 10 OS network traffic, it happen usually by update or upgrade.;Network Protocols;Network Protocols;Encrypts communications, Low Risk, Network Protocols;2;60529026:2;http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDwhJzwIxXNs9fdoihwqMCx;GET;;;;;;;;;;;;;;;;;;14;1664;6;8;4;13;524;1140;1140;564;;;;;;;;;;;;;;;;;;;;;;;;;;1;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6;16Jul2022;23:59:59;192.0.2.90;session;accept;;eth0.11;outbound;Application Control;352;-1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;7361627382187237226;3;;Network;;;http;192.168.1.17;104.18.32.68;tcp;;;;;;;;HTTP;0;;;[email protected];;;;;;40,16777245;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,7446889b-e12d-4c9b-b839-70bb9c8d488f;9.32_._._Do not require authentication,9.21_._._Allow - Unauthenticated;;;;;;;;;;;;80;;;;3:00:00;17Jul2022  0:01:04;3;16Jul2022 23:59:59;1;2;Other: Microsoft-CryptoAPI/10.0;;16777245;10075086;10075086;10075086;OCSP;The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to certificate revocation lists.;Network Protocols;Network Protocols;Encrypts communications, Very Low Risk, Network Protocols;1;10075086:35;http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDwhJzwIxXNs9fdoihwqMCx;GET;;Microsoft-CryptoAPI/10.0;;;;;;;;;;;;;;;;14;1661;6;8;4;12;524;1137;1137;524;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
7;16Jul2022;23:59:59;192.0.2.90;connection;accept;;eth0.10;outbound;VPN-1 & FireWall-1;0;1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;6353774620623721536;17;;Network;;;SSH_2200;192.168.20.11;192.0.1.39;tcp;192.0.2.231;;54;0;;InternalZone;;SSH2;1;;;[email protected];;;;;;40,16777245;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,7446889b-e12d-4c9b-b839-70bb9c8d488f;9.32_._._Do not require authentication,9.21_._._Allow - Unauthenticated;;;;;;Timbuktu;@app/cp_geo_ml;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;1;2200;42222;;37734;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
8;16Jul2022;23:59:59;192.0.2.90;account;accept;;eth0.10;outbound;VPN-1 & FireWall-1;6;1;CN=gw1,O=Company_Server_1.company.com.gbu7jf;5;3920171494212229393;5;;Network;;;https_10051;192.168.1.20;192.0.65.26;tcp;192.0.2.231;;54;0;1;InternalZone;;HTTPS;4;;;[email protected];;;;[email protected];;40,16777239;eb785a20-4294-48fe-9226-165660243e7f,3984cc0a-aa85-49aa-8b71-ac8736a162fb;Network,Application;7de163cb-dc42-4fb8-9559-9c4988c53d18,5cf233d5-57f3-4745-ae4c-61e1af2bbd4b;9.32_._._Do not require authentication,9.15_._._Unauthenticated - Fluffy;192.0.65.26;;Untrusted;;;Timbuktu;@app/cp_geo_ml;;849c7739-2249-4b75-b86a-7a44c1a3c2c0;;1;10051;59649;;37735;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;16Jul2022 23:59:59;16Jul2022 23:59:59;0:00:00;37;7572;13;24;12;26;3993;3579;3579;3993;eth0.11;;;eth0.10;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[efd6]

These will be helpful in general, but what I need to address the problem here is some failing syslog lines; I don't have a definition of how the attributes are mapped into their syslog output, so I would be making things up that I need to know.

[bbs2web]

Hi,

I'm unfortunately very new to Elastic, is there a debug option to capture the incoming syslog messages in a format that would help?

I also have a packet capture but presumed that not to be helpful...

[efd6]

I think probably the easiest way would be to get some documents that have been ingested like you have in the screenshots in the issue. These have a message field from what I can see above which has the log line I am looking for. Copying the _source for one or two of the documents in Discover will be enough and then paste the scrubbed message field. Alternatively, select the message field in the Discover field selector (left panel) and you can then copy the text from an document.

[bbs2web]

Hi,

Many thanks for the guidance, herewith a sample 'message' field for a log entry that wasn't ingested:

  "message": [
    "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.July, 18, 21, 32, 12, 765460318, time.Local), Meta:{\"raw_index\":\"logs-checkpoint.firewall-default\"}, Fields:{\"agent\":{\"ephemeral_id\":\"e9e34c94-d282-4757-8f14-3088530aaad4\",\"id\":\"a5d69d67-0ea2-4695-aaa6-3b98de116fb9\",\"name\":\"elk-syslog\",\"type\":\"filebeat\",\"version\":\"8.3.2\"},\"data_stream\":{\"dataset\":\"checkpoint.firewall\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"a5d69d67-0ea2-4695-aaa6-3b98de116fb9\",\"snapshot\":false,\"version\":\"8.3.2\"},\"event\":{\"dataset\":\"checkpoint.firewall\",\"timezone\":\"+02:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"192.0.202.23:50067\"}},\"message\":\"\\u003c134\\u003e1 2022-07-16T18:51:20Z fwcpl1 CheckPoint 15190 - [action:\\\"Accept\\\"; contextnum:\\\"1\\\"; flags:\\\"802832\\\"; ifdir:\\\"inbound\\\"; ifname:\\\"eth0.11\\\"; logid:\\\"6\\\"; loguid:\\\"{0x8f666132,0xbecc4db4,0xba440b,0x9a552992}\\\"; origin:\\\"41.79.23.90\\\"; originsicname:\\\"CN=fwcp1,O=Client_Server_1.company.com.gbu7jf\\\"; sequencenum:\\\"8\\\"; time:\\\"1657997480\\\"; version:\\\"5\\\"; __nsons:\\\"0\\\"; __p_dport:\\\"0\\\"; __policy_id_tag:\\\"product=VPN-1 \\u0026 FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\\\]\\\"; __pos:\\\"7\\\"; bytes:\\\"11390\\\"; client_inbound_bytes:\\\"7745\\\"; client_inbound_interface:\\\"eth0.11\\\"; client_inbound_packets:\\\"15\\\"; client_outbound_bytes:\\\"3645\\\"; client_outbound_packets:\\\"22\\\"; context_num:\\\"1\\\"; elapsed:\\\"0\\\"; hll_key:\\\"10604343600038601552\\\"; packets:\\\"37\\\"; product:\\\"Log Update\\\"; segment_time:\\\"1657997472\\\"; server_inbound_bytes:\\\"3645\\\"; server_inbound_packets:\\\"11\\\"; server_outbound_bytes:\\\"7745\\\"; server_outbound_interface:\\\"eth0.10\\\"; server_outbound_packets:\\\"30\\\"; start_time:\\\"1657997472\\\"]\",\"tags\":[\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"mapper_parsing_exception\",\"reason\":\"failed to parse\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"data stream timestamp field [@timestamp] is missing\"}}, dropping event!"
  ],

I additionally exported a part of a packet capture to CSV using Wireshark, hope this helps:

"No.","Time","Source","Destination","Protocol","Length","Info"
"73","2022-07-16 22:55:47.549377","192.0.202.23","192.0.23.12","Syslog","1514","LOCAL0.INFO: 1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Outgoing""; contextnum:""1""; flags:""8311808""; ifdir:""outbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0xd5fa703a,0xe12ea594,0x7ef4e22a,0xafe51d8f}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""2""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; certificate_validity:""Untrusted""; context_num:""1""; dst:""192.0.65.26""; dst_machine_name:""[email protected]""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; hll_key:""14443898081849469940""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""40""; match_id:""16777239""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.32_._._Do not require authentication""; rule_name:""9.15_._._Unauthenticated - NMS""; rule_uid:""7de163cb-dc42-4fb8-9559-9c4988c53d18""; rule_uid:""5cf233d5-57f3-4745-ae4c-61e1af2bbd4b""; nat_addtnl_rulenum:""0""; nat_rule_uid:""849c7739-2249-4b75-b86a-7a44c1a3c2c0""; nat_rulenum:""54""; needs_browse_time:""1""; product:""VPN-1 & FireWall-1""; proto:""6""; protocol:""HTTPS""; s_port:""56350""; security_inzone:""InternalZone""; service:""10051""; service_id:""ht"
"74","2022-07-16 22:55:47.549396","192.0.202.23","192.0.23.12","Syslog","229","tps_10051""; sig_id:""4""; src:""192.168.1.66""; tls_server_host_name:""192.0.65.26""; xlatedport:""0""; xlatedst:""0.0.0.0""; xlatesport:""40442""; xlatesrc:""192.0.23.231""]\\n"
"75","2022-07-16 22:55:47.549402","192.0.202.23","192.0.23.12","Syslog","1514","LOCAL0.INFO: 1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Incoming""; flags:""8800518""; ifdir:""inbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0x1884eb8a,0x2366ad2d,0xedd09a2b,0x3c9c989}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""3""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; dst:""192.0.23.229""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; log_delay:""1657987709""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""23""; match_id:""16777217""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.15_._._GummyBear""; rule_name:""1_._._Allow - Inbound""; rule_uid:""afc6479f-f4b1-42a9-9aa3-bd9af46e2eb3""; rule_uid:""04102b39-d08c-4310-aae7-34b1a42cf230""; product:""VPN-1 & FireWall-1""; proto:""6""; s_port:""42357""; service:""443""; service_id:""https""; src:""192.0.73.194""; src_uo_icon:""@app/cp_geo_ml""; src_uo_name:""Mali""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; flags:""278528""; ifdir:""inbound""; ifname:""eth0.10""; logid:""1""; loguid:""{0x1884eb8a,0x2366ad2d,0xedd09a2b,0x3c9c989}""; origin:""192.0.23.90""; originsicname:""CN=fwc"
"76","2022-07-16 22:55:47.549409","192.0.202.23","192.0.23.12","Syslog","1514","p1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""4""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; nat_addtnl_rulenum:""0""; nat_rule_uid:""f7c2fe52-aa5f-4c64-9b87-1e000f54b35f""; nat_rulenum:""38""; product:""VPN-1 & FireWall-1""; xlatedport:""0""; xlatedst:""192.168.1.17""; xlatesport:""0""; xlatesrc:""0.0.0.0""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0xca120786,0x8d4360e0,0xa75630a3,0xbf7f7076}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""5""; time:""1657987709""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""6224""; client_inbound_bytes:""2621""; client_inbound_interface:""eth0.11""; client_inbound_packets:""12""; client_outbound_bytes:""3603""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""17004712395693688087""; packets:""32""; product:""Log Update""; segment_time:""1657987701""; server_inbound_bytes:""3603""; server_inbound_packets:""10""; server_outbound_bytes:""2621""; server_outbound_interface:""eth0.10""; server_outbound_packets:""24""; "
"77","2022-07-16 22:55:47.549414","192.0.202.23","192.0.23.12","Syslog","1514","start_time:""1657987701""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Outgoing""; contextnum:""1""; flags:""8311808""; ifdir:""outbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0x81edd213,0xa4d3b7c9,0xdd4f38c1,0x1103dda8}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""6""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; certificate_validity:""Untrusted""; context_num:""1""; dst:""192.0.65.26""; dst_machine_name:""[email protected]""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; hll_key:""10897370474215141923""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""40""; match_id:""16777239""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.32_._._Do not require authentication""; rule_name:""9.15_._._Unauthenticated - NMS""; rule_uid:""7de163cb-dc42-4fb8-9559-9c4988c53d18""; rule_uid:""5cf233d5-57f3-4745-ae4c-61e1af2bbd4b""; nat_addtnl_rulenum:""0""; nat_rule_uid:""849c7739-2249-4b75-b86a-7a44c1a3c2c0""; nat_rulenum:""54""; needs_browse_time:""1""; product:""VPN-1 & FireWall-1""; proto:""6""; protocol:""HTTPS""; s_port:""51507""; security_inzone:""InternalZone""; servic"
"78","2022-07-16 22:55:47.549420","192.0.202.23","192.0.23.12","Syslog","1514","e:""10051""; service_id:""https_10051""; sig_id:""4""; src:""192.168.1.22""; src_machine_name:""[email protected]""; tls_server_host_name:""192.0.65.26""; xlatedport:""0""; xlatedst:""0.0.0.0""; xlatesport:""40443""; xlatesrc:""192.0.23.231""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0xe53f1e75,0xdcc6bdd9,0xe7d82900,0x6990ae97}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""7""; time:""1657987709""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""7363""; client_inbound_bytes:""3784""; client_inbound_interface:""eth0.11""; client_inbound_packets:""15""; client_outbound_bytes:""3579""; client_outbound_packets:""24""; context_num:""1""; elapsed:""0""; hll_key:""10897370474215141923""; packets:""39""; product:""Log Update""; segment_time:""1657987701""; server_inbound_bytes:""3579""; server_inbound_packets:""12""; server_outbound_bytes:""3784""; server_outbound_interface:""eth0.10""; server_outbound_packets:""30""; start_time:""1657987701""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x893d075d,0x3ee0e53,0xabffb48b,0x83ba71eb}""; "
"79","2022-07-16 22:55:47.549428","192.0.202.23","192.0.23.12","Syslog","1514","origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""8""; time:""1657987709""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""7585""; client_inbound_bytes:""4041""; client_inbound_interface:""eth0.11""; client_inbound_packets:""11""; client_outbound_bytes:""3544""; client_outbound_packets:""18""; context_num:""1""; elapsed:""0""; hll_key:""1299923317318269360""; packets:""29""; product:""Log Update""; segment_time:""1657987701""; server_inbound_bytes:""3544""; server_inbound_packets:""9""; server_outbound_bytes:""4041""; server_outbound_interface:""eth0.10""; server_outbound_packets:""22""; start_time:""1657987701""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x2c7f168,0x90d91034,0x566ba2b1,0x1439f63f}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""9""; time:""1657987709""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""6102""; client_inbound_bytes:""2615""; client_inbound_interface:""eth0.11""; client_inbound_pack"
"80","2022-07-16 22:55:47.549433","192.0.202.23","192.0.23.12","Syslog","1514","ets:""10""; client_outbound_bytes:""3487""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""9157854194567129168""; packets:""30""; product:""Log Update""; segment_time:""1657987701""; server_inbound_bytes:""3487""; server_inbound_packets:""10""; server_outbound_bytes:""2615""; server_outbound_interface:""eth0.10""; server_outbound_packets:""20""; start_time:""1657987701""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x12256cd8,0xbce0a71,0x9d31c47b,0xf127a39a}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""10""; time:""1657987709""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""7129""; client_inbound_bytes:""3630""; client_inbound_interface:""eth0.11""; client_inbound_packets:""11""; client_outbound_bytes:""3499""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""10138151408853934555""; packets:""31""; product:""Log Update""; segment_time:""1657987701""; server_inbound_bytes:""3499""; server_inbound_packets:""10""; server_outbound_bytes:""3630""; server_outbound_packets:""22""; start_time:""1657987701""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Drop""; flags:""400644""; ifdir:""in"
"81","2022-07-16 22:55:47.549439","192.0.202.23","192.0.23.12","Syslog","1514","bound""; ifname:""eth0.10""; logid:""0""; loguid:""{0x62d325d3,0x18,0x2ca7f64,0x381df033}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""12""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; dst:""192.0.23.94""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; inzone:""External""; layer_name:""Network""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; match_id:""32""; parent_rule:""0""; rule_action:""Drop""; rule_name:""9.24_._._Cleanup rule""; rule_uid:""4f90c13c-3842-49fd-a8d7-0a32066f2d40""; outzone:""External""; product:""VPN-1 & FireWall-1""; proto:""6""; s_port:""42797""; security_inzone:""ExternalZone""; service:""30016""; service_id:""cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477""; src:""103.232.53.136""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Drop""; flags:""400644""; ifdir:""inbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0x62d325d3,0x19,0x2ca7f64,0x381df033}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""13""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; dst:""192.0.23.231""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali"";
"82","2022-07-16 22:55:47.549468","192.0.202.23","192.0.23.12","Syslog","1514"," inzone:""External""; layer_name:""Network""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; match_id:""32""; parent_rule:""0""; rule_action:""Drop""; rule_name:""9.24_._._Cleanup rule""; rule_uid:""4f90c13c-3842-49fd-a8d7-0a32066f2d40""; outzone:""External""; product:""VPN-1 & FireWall-1""; proto:""6""; s_port:""53528""; security_inzone:""ExternalZone""; service:""23""; service_id:""telnet""; src:""211.22.163.107""]\\n<134>1 2022-07-16T16:08:29Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Incoming""; flags:""8800518""; ifdir:""inbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0xec53cc1e,0x9011dad1,0xc8b1718b,0xd0e81c0d}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""14""; time:""1657987709""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; dst:""192.0.23.229""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; log_delay:""1657987709""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""23""; match_id:""16777217""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.15_._._GummyBear""; rule_name:""1_._._Allow - Inbound""; rule_uid:""afc6479f-f4b1-42a9-9aa3-bd9af46e2eb3""; rule_uid:""04102b39-d08c-4310-aae7-34b1a42cf230""; pr"
"83","2022-07-16 22:55:47.549476","192.0.202.23","192.0.23.12","Syslog","1514","ce:""eth0.11""; client_inbound_packets:""13""; client_outbound_bytes:""3579""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""16156278696859173593""; packets:""33""; product:""Log Update""; segment_time:""1657986857""; server_inbound_bytes:""3579""; server_inbound_packets:""10""; server_outbound_bytes:""2645""; server_outbound_interface:""eth0.10""; server_outbound_packets:""26""; start_time:""1657986857""]\\n<134>1 2022-07-16T15:54:25Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x3c454934,0xeef06f2e,0xfbe92f54,0x1849e0d6}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""11""; time:""1657986865""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""6225""; client_inbound_bytes:""2646""; client_inbound_interface:""eth0.11""; client_inbound_packets:""13""; client_outbound_bytes:""3579""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""14443898081849469940""; packets:""33""; product:""Log Update""; segment_time:""1657986857""; server_inbound_bytes:""3579""; server_inbound_packets:""10""; server_outbound_bytes:""2646""; server_outbound_interface:""eth0.10""; server_outbound_packets:""26""; start_time:""1657986857""]\\n<134>1 2022-07-16T15:54"
"84","2022-07-16 22:55:47.549481","192.0.202.23","192.0.23.12","Syslog","1514",":25Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Incoming""; flags:""8800518""; ifdir:""inbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0x87832b3,0x3075d804,0x37ec69d9,0xfbe53004}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""12""; time:""1657986865""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; dst:""192.0.23.229""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; log_delay:""1657986865""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""23""; match_id:""16777217""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.15_._._GummyBear""; rule_name:""1_._._Allow - Inbound""; rule_uid:""afc6479f-f4b1-42a9-9aa3-bd9af46e2eb3""; rule_uid:""04102b39-d08c-4310-aae7-34b1a42cf230""; product:""VPN-1 & FireWall-1""; proto:""6""; s_port:""12091""; service:""443""; service_id:""https""; src:""192.0.73.82""; src_uo_icon:""@app/cp_geo_ml""; src_uo_name:""Mali""]\\n<134>1 2022-07-16T15:54:25Z fw_logserver CheckPoint 28723 - [action:""Accept""; flags:""278528""; ifdir:""inbound""; ifname:""eth0.10""; logid:""1""; loguid:""{0x87832b3,0x3075d804,0x37ec69d9,0xfbe53004}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Serve"
"85","2022-07-16 22:55:47.549488","192.0.202.23","192.0.23.12","Syslog","1514","47;policy_name=Standard\\]""; nat_addtnl_rulenum:""0""; nat_rule_uid:""f7c2fe52-aa5f-4c64-9b87-1e000f54b35f""; nat_rulenum:""38""; product:""VPN-1 & FireWall-1""; xlatedport:""0""; xlatedst:""192.168.1.17""; xlatesport:""0""; xlatesrc:""0.0.0.0""]\\n<134>1 2022-07-16T15:57:34Z fw_logserver CheckPoint 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x33b6ac82,0xc036d1cd,0x5319562f,0xc34fc3eb}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""17""; time:""1657987054""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""7138""; client_inbound_bytes:""3639""; client_inbound_interface:""eth0.11""; client_inbound_packets:""11""; client_outbound_bytes:""3499""; client_outbound_packets:""20""; context_num:""1""; elapsed:""0""; hll_key:""15302640979307155820""; packets:""31""; product:""Log Update""; segment_time:""1657987046""; server_inbound_bytes:""3499""; server_inbound_packets:""10""; server_outbound_bytes:""3639""; server_outbound_interface:""eth0.10""; server_outbound_packets:""22""; start_time:""1657987046""]\\n<134>1 2022-07-16T15:57:34Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Outgoing""; contextnum:""1""; flags:""8311808""; ifdir:""outbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0xe6fdfe,0xe6"
"86","2022-07-16 22:55:47.549493","192.0.202.23","192.0.23.12","Syslog","1514","a878b1,0x41750d59,0x11bc2f16}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""18""; time:""1657987054""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; certificate_validity:""Untrusted""; context_num:""1""; dst:""192.0.65.26""; dst_machine_name:""[email protected]""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; hll_key:""3249155648390916270""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""40""; match_id:""16777239""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.32_._._Do not require authentication""; rule_name:""9.15_._._Unauthenticated - NMS""; rule_uid:""7de163cb-dc42-4fb8-9559-9c4988c53d18""; rule_uid:""5cf233d5-57f3-4745-ae4c-61e1af2bbd4b""; nat_addtnl_rulenum:""0""; nat_rule_uid:""21a6aa92-1a4c-4806-86bd-d2eefb17b763""; nat_rulenum:""52""; needs_browse_time:""1""; product:""VPN-1 & FireWall-1""; proto:""6""; protocol:""HTTPS""; s_port:""43208""; security_inzone:""InternalZone""; service:""10051""; service_id:""https_10051""; sig_id:""4""; src:""192.168.20.9""; tls_server_host_name:""192.0.65.26""; xlatedport:""0""; xlatedst:""0.0.0.0""; xlatesport:""0""; xlatesrc:""192.0.23.225""]\\n<134>1 2022-07-16T15:57:34Z fw_logserver CheckPoin"
"87","2022-07-16 22:55:47.549500","192.0.202.23","192.0.23.12","Syslog","1514","t 28723 - [action:""Accept""; contextnum:""1""; flags:""802832""; ifdir:""inbound""; ifname:""eth0.11""; logid:""6""; loguid:""{0x1f4f1ab2,0x4cf8e8f4,0x1c32d7d3,0x5df3c507}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""19""; time:""1657987054""; version:""5""; __nsons:""0""; __p_dport:""0""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; __pos:""7""; bytes:""7880""; client_inbound_bytes:""4336""; client_inbound_interface:""eth0.11""; client_inbound_packets:""11""; client_outbound_bytes:""3544""; client_outbound_packets:""18""; context_num:""1""; elapsed:""0""; hll_key:""1299923317318269360""; packets:""29""; product:""Log Update""; segment_time:""1657987046""; server_inbound_bytes:""3544""; server_inbound_packets:""9""; server_outbound_bytes:""4336""; server_outbound_interface:""eth0.10""; server_outbound_packets:""22""; start_time:""1657987046""]\\n<134>1 2022-07-16T15:57:34Z fw_logserver CheckPoint 28723 - [action:""Accept""; conn_direction:""Incoming""; flags:""8800518""; ifdir:""inbound""; ifname:""eth0.10""; logid:""0""; loguid:""{0xe81d1be5,0xf3321ba6,0x762e5f2a,0xdff4b328}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""20""; time:""1657987054""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;d"
"88","2022-07-16 22:55:47.549507","192.0.202.23","192.0.23.12","Syslog","1514","ate=1657919347;policy_name=Standard\\]""; dst:""192.0.23.229""; dst_uo_icon:""@app/cp_geo_ml""; dst_uo_name:""Mali""; log_delay:""1657987054""; layer_name:""Network""; layer_name:""Application""; layer_uuid:""eb785a20-4294-48fe-9226-165660243e7f""; layer_uuid:""3984cc0a-aa85-49aa-8b71-ac8736a162fb""; match_id:""23""; match_id:""16777217""; parent_rule:""0""; parent_rule:""0""; rule_action:""Accept""; rule_action:""Accept""; rule_name:""9.15_._._GummyBear""; rule_name:""1_._._Allow - Inbound""; rule_uid:""afc6479f-f4b1-42a9-9aa3-bd9af46e2eb3""; rule_uid:""04102b39-d08c-4310-aae7-34b1a42cf230""; product:""VPN-1 & FireWall-1""; proto:""6""; s_port:""10016""; service:""443""; service_id:""https""; src:""192.0.70.234""; src_uo_icon:""@app/cp_geo_ml""; src_uo_name:""Mali""]\\n<134>1 2022-07-16T15:57:34Z fw_logserver CheckPoint 28723 - [action:""Accept""; flags:""278528""; ifdir:""inbound""; ifname:""eth0.10""; logid:""1""; loguid:""{0xe81d1be5,0xf3321ba6,0x762e5f2a,0xdff4b328}""; origin:""192.0.23.90""; originsicname:""CN=fwcp1,O=Client_Server_1.company.com.gbu7jf""; sequencenum:""21""; time:""1657987054""; version:""5""; __policy_id_tag:""product=VPN-1 & FireWall-1[db_tag={2A2DF8C0-A338-E34D-A155-13DC2B829A78};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]""; nat_addtnl_rulenum:""0""; nat_rule_uid:""f7c2fe52-aa5f-4c64-9b87-1e000f54b35f""; nat_rulenum:""38""; product:""VPN-1 & FireWall-1""; xlatedport:""0""; xlatedst:""192.168.1.17""; xlatesport:""0""; xlatesrc:""0.0.0.0""]\\n<134>1 2022-07-1"

Hope the above is relevant, please let me know if I can assist with anything.

[efd6]

Thank you, that is perfect.

[efd6]

It looks like there were some issues with how that document was being processed due to data being present twice in the new format and the pipeline failing when trying to set an already set field. This happens before the timestamp is set, so that never happens. Being more careful with the duplicated data allows the pipeline to complete and set the timestamp.

Now that line would give you something like this (details altered for testing purposes).

[taylor-swanson]

Looking at the pipeline, the original @timestamp set by filebeat will be renamed to event.created. Later on, there are two date processors that will set @timestamp going forward, but only one will actually run (they have mutually exclusive if statements).

The first one sets it based on the timestamp from the syslog header, but only if there isn't a time field in the structured data of the log message.

  - date:
      field: "syslog5424_ts"
      formats: ["ISO8601", "UNIX"]
      if: "ctx.checkpoint?.time == null"

The second one sets it based on the time field in the structured data of the log message, if it exists:

  - date:
      field: "checkpoint.time"
      formats: ["ISO8601", "UNIX"]
      if: "ctx.checkpoint?.time != null"

As an aside, the date processor will set the @timestamp if no target_field parameter is given.

I attempted to take the syslog message above and run it through the pipeline simulate API, but I got interesting results... Now this may be because I remove the escapes from the message incorrectly, but I did get a different error (it complained about a duplicate field for the ingress interface, which doesn't make any sense). I did reproduce the issue, though. The resulting document lacked a @timestamp field, however, I had an error.message in the document. This meant the pipeline stopped due to an error before it got to the correct date processor. I don't think this is the problem you're facing, though, since the document you provided doesn't have an error.message associated with it.

@efd6, any thoughts here?

I'll continue investigating and testing in the mean time.

[andrewkroh]

Looking at the pipeline, the original @timestamp set by filebeat will be renamed to event.created. Later on, there are two date processors that will set @timestamp

This sounds like a risky order of operations given data streams require timestamps. Perhaps use a temporary target_field for the date processing and only replace the timestamp after the parsing is a success.

[efd6]

The resulting document lacked a @timestamp field, however, I had an error.message in the document. This meant the pipeline stopped due to an error before it got to the correct date processor. I don't think this is the problem you're facing, though, since the document you provided doesn't have an error.message associated with it.

I believe this is exactly the explanation (and what I have here). It fails to complete the pipeline and so does not have a timestamp and thus fails ingest. Without the fix at #32458 this fails to be indexed (as expected), however if the date: processor is moved above the attempted duplication, without the fix we get this

{
  "@timestamp": "2022-07-16T18:51:20.000Z",
  "_temp_": {
    "external_zones": [
      "untrust"
    ],
    "internal_zones": [
      "trust"
    ]
  },
  "agent": {
    "ephemeral_id": "af73fb8c-108e-41b6-bdd3-53171691af6e",
    "id": "38f5158d-be38-4331-afc9-bf853b59f5de",
    "name": "docker-fleet-agent",
    "type": "filebeat",
    "version": "8.3.2"
  },
  "checkpoint": {
    "__nsons": "0",
    "__p_dport": "0",
    "__pos": "7",
    "client_inbound_bytes": "7475",
    "client_inbound_packets": "15",
    "client_outbound_bytes": "6345",
    "client_outbound_packets": "22",
    "context_num": "1",
    "contextnum": "1",
    "elapsed": "0",
    "hll_key": "12347634786232348735",
    "ifname": "eth0.11",
    "logid": "6",
    "origin": "81.2.69.144",
    "product": "Log Update",
    "segment_time": "1657997472",
    "sequencenum": "8",
    "server_inbound_bytes": "6345",
    "server_inbound_packets": "11",
    "server_outbound_bytes": "7475",
    "server_outbound_interface": "eth0.10",
    "server_outbound_packets": "30",
    "time": "1657997480"
  },
  "data_stream": {
    "dataset": "checkpoint.firewall",
    "namespace": "ep",
    "type": "logs"
  },
  "destination": {
    "bytes": 7475,
    "packets": 30
  },
  "ecs": {
    "version": "8.3.0"
  },
  "elastic_agent": {
    "id": "38f5158d-be38-4331-afc9-bf853b59f5de",
    "snapshot": false,
    "version": "8.3.2"
  },
  "error": {
    "message": "field [observer.ingress.interface.name] already exists"
  },
  "event": {
    "action": "Accept",
    "agent_id_status": "verified",
    "category": [
      "network"
    ],
    "created": "2022-07-23T01:19:07.902Z",
    "dataset": "checkpoint.firewall",
    "id": "{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}",
    "ingested": "2022-07-23T01:19:08Z",
    "kind": "event",
    "original": "\u003c134\u003e1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:\"Accept\"; contextnum:\"1\"; flags:\"802832\"; ifdir:\"inbound\"; ifname:\"eth0.11\"; logid:\"6\"; loguid:\"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}\"; origin:\"81.2.69.144\"; originsicname:\"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf\"; sequencenum:\"8\"; time:\"1657997480\"; version:\"5\"; __nsons:\"0\"; __p_dport:\"0\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]\"; __pos:\"7\"; bytes:\"11930\"; client_inbound_bytes:\"7475\"; client_inbound_interface:\"eth0.11\"; client_inbound_packets:\"15\"; client_outbound_bytes:\"6345\"; client_outbound_packets:\"22\"; context_num:\"1\"; elapsed:\"0\"; hll_key:\"12347634786232348735\"; packets:\"37\"; product:\"Log Update\"; segment_time:\"1657997472\"; server_inbound_bytes:\"6345\"; server_inbound_packets:\"11\"; server_outbound_bytes:\"7475\"; server_outbound_interface:\"eth0.10\"; server_outbound_packets:\"30\"; start_time:\"1657997472\"]",
    "sequence": 8,
    "start": "1657997472",
    "timezone": "+00:00"
  },
  "input": {
    "type": "log"
  },
  "log": {
    "file": {
      "path": "/tmp/service_logs/test-checkpoint.log"
    },
    "offset": 345
  },
  "network": {
    "bytes": "11930",
    "direction": "inbound",
    "packets": "37"
  },
  "observer": {
    "ingress": {
      "interface": {
        "name": "eth0.11"
      }
    },
    "product": "Log Update",
    "type": "firewall",
    "vendor": "Checkpoint"
  },
  "source": {
    "bytes": 6345,
    "packets": 22
  },
  "syslog5424_ts": "2022-07-16T18:51:20Z",
  "tags": [
    "forwarded"
  ]
}

This sounds like a risky order of operations given data streams require timestamps. Perhaps use a temporary target_field for the date processing and only replace the timestamp after the parsing is a success.

I agree, but I don't think there is any completely (atomically) correct approach; we need to have parsed the message to get the real @timestamp, but we need a fall back @timestamp if it fails. This means we always need to delete the @timestamp when we finally set the real value if it was available. If we accept this, then setting the event.created from the syslog time without a rename, and then deleting the @timestamp prior to setting it from the pipeline-parsed data if it becomes available would work.

[bbs2web]

Many thanks!

I navigated to Stack Management -> Ingest Pipelines, then first duplicated logs-checkpoint.firewall-1.6.0 as a backup and made the changes as per the patch submission. Working perfectly, thank you!

PS: For others that may stumble here, tell CheckPoint to ingest historic data by adjusting the exporter customisation file:

cd $EXPORTERDIR/targets/Export_Elastic;
./log_exporter -days_to_index 14;
# As per sk111766, indexed logs are usually only retained for 14 days before storage maintenance tasks could start removing them:
#  Warning: Verify that "Object -> Logs -> Storage -> Keep indexed logs for" attribute is disabled or that the value is greater or equals to: [14]
#           Otherwise all indexes will be deleted during storage maintenance

# On R81.10 MDS with JHA take 66 I had to additionally:
# vi $EXPORTERDIR/targets/Export_Elastic/targetConfiguration.xml;
#   <log_files>14</log_files>
# cp_log_export restart name Export_Elastic;

cp_log_export restart;