Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

CPLogToSyslog Utility Now GA

Check Point has recently made available publicly a tool that allows you to export Check Point logs from the management to a syslog server.

Refer to the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog 

42 Replies
Tom_Cripps
Advisor

I've just done a little capture on Wireshark on my Log Server and it looks to be recieving on port 514 which is a UDP port for Syslog and there is also more fields listing UDP and not TCP? Have a look see what you think?

0 Kudos
Vladimir
Champion
Champion

I think you are missing :lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}" section in your config. Check my pdf page 6 for references.

0 Kudos
Tom_Cripps
Advisor

We removed it as it would make duplicate records and would affect our monitor software and make false results? How necessary is it?

0 Kudos
Vladimir
Champion
Champion

As far as I understand it, the audit_input_session, unlike log_input_session is responsible for forwarding administrative action log to the syslog. In other words, things that you used to see in the "Management" tab of the SmartView Tracker.

In the absence of the definition in the  $FWDIR/state/SEAM/local.cplogtosyslog_policy.C these parameters may be filled with default values defined elsewhere which, in turn, may cause unexpected behavior.

0 Kudos
Tom_Cripps
Advisor

What i will say is we only see the log_input_session traffic at our server, so i don't think that could be an issue but it's food for thought. I think the bottom line is the fact that we're running on TCP and not UDP, and with TCP with being stateful, it'll see an error and just stop sending traffic won't it.

0 Kudos
Tom_Cripps
Advisor

We still have issues with the original file we get given from Checkpoint so that's why i think it's not an issue to do with a field. 

0 Kudos
Kosin_Usuwanthi
Collaborator

Hi

I found problem cplogtosyslog stop send logging after upgrade hotfix to take56.

I try stop/start cplogtosyslog it can send logging about 1-2 minutes then stop again.

please help to advice.

0 Kudos
KennyManrique
Advisor

Hello Kosin,

Maybe your problem is because the last Jumbo Version approved for CPLogToSyslog is HFA42

Regards.

0 Kudos
Kosin_Usuwanthi
Collaborator

I tried rollback hotfix to #T42 and install lastest version for CPLogToSyslog but still not working.

Already open case to TAC but waiting to investigate with R&D team.

 

0 Kudos
DR_74
Contributor

Hello,

Is there a way to modify the log content, with less fileds than we have now?

For example, I get this in my syslog server

01-31-2018    23:50:52    Lpr.Notice    10.88.9.1     Wed Jan 31 23:51:23  GW1 LOG GW1:  ContentVersion: 5; Uuid: {0x5a72486a,0x0,0x109580a,0xc0000001}; SequenceNum: 4; Flags: 16384; Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1; Alert: ; LogId: 0; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; log_type: connection; is_first_for_luuid: 131072; hll_key: 9176802383052573599; inzone: Internal; outzone: External; service_id: domain-udp; src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; NAT_rulenum: 4; NAT_addtnl_rulenum: 1; protocol: DNS-UDP; sig_id: 4; context_num: 1; match_id: 7; match_table.match_id: 7(+)16777218; layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145; match_table.layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145(+)fa8c5735-756d-4a7c-b16a-7a3b42fcf1ad; layer_name: Network; match_table.layer_name: Network(+)URL FILTER; rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627; match_table.rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627(+)22d4d6e4-f19d-461b-92c8-1cec78604ea0; rule_name: ; match_table.rule_name: (+)Cleanup rule; rule_action: 2; match_table.rule_action: 2(+)2; parent_rule: 0; match_table.parent_rule: 0(+)0; aba_customer: SMC User; date: 31Jan2018; hour: 23:51:22; type: connection; Interface: < eth1; ProductName: VPN-1 & FireWall-1; svc: 53; sport_svc: 56208; xlatedport_svc: ; xlatesport_svc: 36370;

Is it possible to get that?

01-31-2018    23:50:52    Lpr.Notice    10.88.9.1     Wed Jan 31 23:51:23  GW1 LOG GW1:  Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1;  src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; protocol: DNS-UDP;

Thank you

0 Kudos
PhoneBoy
Admin
Admin

I'm not aware of a way to modify the syslog output (but maybe I'm wrong). 

I believe this is planned for the LogOut project in any case.

0 Kudos
Tom_Cripps
Advisor

Hi Romain,

If you get tricky with the filtering you can reduce the results slightly. But not to that extent you wish for.

0 Kudos
Martin_Schagerl
Participant

hi @ll,

does this add some more significant load to the machines or is it safe to install?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events