After installing the Symantec Event Collector 4.4 for Check Point LEA you notice that some fields contain *** Confidential ***. The early collector populated these fields with actual names.
This is working as designed by Checkpoint. If you have a newer version of Checkpoint such as R75, there is a new feature added for 'data leakage protection'. This feature masks actual names in the OpSec Lea log files. Our collector pulls events from these logs so the fields we receive are masked. If you look at the debug Checkpoint collector logs you will see the masked value in the events.