https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16871#M1273 <HTML><HEAD></HEAD><BODY><P>Has syslog restarted since this configuration took place?</P><P>I believe syslogd should automatically restart anytime you change the configuration, but it's helpful to double-check.</P></BODY></HTML> Fri, 16 Nov 2018 19:28:59 GMT PhoneBoy 2018-11-16T19:28:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16870#M1272 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>As the title, I have set as&nbsp;sk92798</P><P>add syslog log-remote-address 172.22.112.119 level emerg <BR />set syslog filename /var/log/messages <BR />set syslog cplogs off <BR />set syslog mgmtauditlogs on <BR />set syslog auditlog permanent <BR />set syslog uncompressmessages off </P><P></P><P>[Expert@demoCP:0]# clock<BR />Fri Nov 16 13:00:42 2018 -0.152526 seconds<BR />[Expert@demoCP:0]# cat /etc/syslog.conf<BR /># This file was AUTOMATICALLY GENERATED<BR /># Generated by /bin/syslog_xlate on Fri Nov 16 12:00:40 2018<BR /># <BR /># DO NOT EDIT<BR /># <BR />auth.* /var/log/auth<BR />mail.* -/var/log/maillog<BR />cron.* -/var/log/cron<BR />*.info;local5.emerg;local0.notice;authpriv.emerg;cron.emerg;mail.emerg /var/log/messages</P><P><BR />#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages<BR />#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages</P><P>#*.debug;local5.debug;local0.debug;authpriv.debug;cron.debug;mail.debug /var/log/messages</P><P>#*.info;local5.info;local0.info;authpriv.info;cron.info;mail.info /var/log/messages</P><P>#*.notice;local5.notice;local0.notice;authpriv.notice;cron.notice;mail.notice /var/log/messages<BR />*.emerg *<BR />*.emerg @172.22.112.119<BR />local7.* /var/log/boot.log<BR />authpriv.* /var/log/secure<BR />uucp.crit;news.crit /var/log/spooler<BR />[Expert@demoCP:0]# clock<BR />Fri Nov 16 13:01:06 2018 -0.164737 seconds</P><P></P><P>but I can see notice syslog send to syslog server. What is wrong with it ?&nbsp;</P></BODY></HTML> Fri, 16 Nov 2018 05:03:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16870#M1272 Herschel_Liang 2018-11-16T05:03:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16871#M1273 <HTML><HEAD></HEAD><BODY><P>Has syslog restarted since this configuration took place?</P><P>I believe syslogd should automatically restart anytime you change the configuration, but it's helpful to double-check.</P></BODY></HTML> Fri, 16 Nov 2018 19:28:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16871#M1273 PhoneBoy 2018-11-16T19:28:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16872#M1274 <HTML><HEAD></HEAD><BODY><P>Off course, service restart but it didn't seem useful. Meanwhile, I found if I annotating all code in&nbsp;<SPAN style="color: #000000; background-color: #ffffff;">/etc/syslog.conf. CP will send notice logs to Syslog server. I had config as <SPAN style="font-weight: normal; font-size: 14px;">sk87560 and&nbsp;<SPAN style="background-color: #ffffff;">sk92798.&nbsp;</SPAN></SPAN>So, any step can exclude traffic logs? The client just wants to save simple and indicate clear log.</SPAN></P></BODY></HTML> Sat, 17 Nov 2018 00:02:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16872#M1274 Herschel_Liang 2018-11-17T00:02:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16873#M1275 <HTML><HEAD></HEAD><BODY><P>"If I annotating all code in /etc/syslog.conf" what does this mean?</P><P>What do you mean "traffic logs"?&nbsp;</P><P>If you're talking about stuff that would normally appear in Logs/Reporting or SmartView, this stuff does not go to syslog unless you're running Log Exporter or similar and even then, it shouldn't go to the system syslog (unless you've configured it to).</P></BODY></HTML> Sat, 17 Nov 2018 00:14:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16873#M1275 PhoneBoy 2018-11-17T00:14:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16874#M1276 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; background-color: #ffffff;">"If I annotating all code in /etc/syslog.conf" what does this mean?</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff;"><SPAN>/etc/syslog.conf is syslog&nbsp;cofig file.&nbsp;</SPAN>I think it should do not override any logs to&nbsp;dedicate file. So, I think it should other CP software&nbsp;<SPAN style="color: #2e3033; background-color: #f9fbfc; font-weight: 200;">component</SPAN> send logs to Syslog&nbsp;server. I had check linux syslog config, config&nbsp;&nbsp;<SPAN>/etc/syslog.conf to control syslog. Pls confirm&nbsp;any errors to <SPAN style="color: #2e3033; background-color: #f9fbfc; font-weight: 200;">Implementation requirement&nbsp;</SPAN>used&nbsp;<SPAN style="background-color: #ffffff;">sk87560 and&nbsp;</SPAN><SPAN style="background-color: #ffffff; border: 0px; font-size: 14px;">sk92798. Or anything else mistakes.&nbsp;</SPAN></SPAN></SPAN></P><P><SPAN style="background-color: #ffffff; border: 0px; color: #000000; font-size: 14px;">What do you mean "traffic logs"?&nbsp;</SPAN></P><P><SPAN style="background-color: #ffffff; border: 0px; color: #000000; font-size: 14px;">Detail as the&nbsp;attachment.</SPAN></P><P><SPAN style="background-color: #ffffff; border: 0px; color: #000000; font-size: 14px;">The client config CP send logs to Splunk. You know Splunk pays as flow rate. So, he didn't want to too many low <SPAN style="background-color: #ffffff;">severity logs send to it.</SPAN></SPAN></P></BODY></HTML> Sat, 17 Nov 2018 00:41:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16874#M1276 Herschel_Liang 2018-11-17T00:41:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16875#M1277 <HTML><HEAD></HEAD><BODY><P>When you configure the gateway to send&nbsp;Firewall blade logs via syslog as&nbsp;described in sk87560, they are <EM><STRONG>not</STRONG></EM> sent via syslogd.</P><P>The configuration of /etc/syslogd.conf is therefore irrelevant in this case.</P><P>There is no mechanism to filter what logs are sent: it's either all Firewall blade logs or nothing.</P><P></P><P>FYI, the method described in sk87560 only sends Firewall blade logs and not logs from other Software Blades.</P><P>For other blades, you should use <A href="https://community.checkpoint.com/message/16349">Log Exporter guide</A>.&nbsp;</P><P>Log Exporter currently doesn't support filtering logs either&nbsp;(other than filtering out Firewall blade logs) but I believe we plan to add this&nbsp;to Log Exporter in the future.</P></BODY></HTML> Sat, 17 Nov 2018 01:25:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16875#M1277 PhoneBoy 2018-11-17T01:25:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16876#M1278 <HTML><HEAD></HEAD><BODY><P>Em.............So,&nbsp;could you pls describe&nbsp;when will suitable for&nbsp;<SPAN style="color: #000000; background-color: #ffffff;">sk92798? Does&nbsp;<SPAN>sk92798 only used in local disk?</SPAN></SPAN></P></BODY></HTML> Sat, 17 Nov 2018 01:38:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16876#M1278 Herschel_Liang 2018-11-17T01:38:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16877#M1279 <HTML><HEAD></HEAD><BODY><P>sk92798 is only relevant for events that originate from the Gaia OS itself, i.e. things that would normally appear in /var/log/messages.</P><P>Some/all of these events can be forwarded to an external syslog server, depending on how you implement sk92798.</P></BODY></HTML> Sat, 17 Nov 2018 01:54:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16877#M1279 PhoneBoy 2018-11-17T01:54:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16878#M1280 <HTML><HEAD></HEAD><BODY><P>All right. Understand. THX!</P></BODY></HTML> Sat, 17 Nov 2018 02:12:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-set-syslog-severity-grade-log-send-to-syslog-server/m-p/16878#M1280 Herschel_Liang 2018-11-17T02:12:30Z