https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31766#M24880 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.</P><P>I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.</P><P>What is the best course of action to achieve logging to an external server? What is usually used on these situations?</P></BODY></HTML> Sat, 16 Jun 2018 17:26:27 GMT Tiago_Cerqueira 2018-06-16T17:26:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31766#M24880 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.</P><P>I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.</P><P>What is the best course of action to achieve logging to an external server? What is usually used on these situations?</P></BODY></HTML> Sat, 16 Jun 2018 17:26:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31766#M24880 Tiago_Cerqueira 2018-06-16T17:26:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31767#M24881 <HTML><HEAD></HEAD><BODY><P>The "Send Traffic to the Management Server" options puts those logs in the same place you see your traffic logs.</P><P>Those, of course, can be exported from there with Log Exporter just like the traffic logs.</P><P>However, I don't know that it changes the format of the log entries any.</P></BODY></HTML> Sun, 17 Jun 2018 02:40:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31767#M24881 PhoneBoy 2018-06-17T02:40:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31768#M24882 <HTML><HEAD></HEAD><BODY><P>Hi Tiago,</P><P></P><P>You can configure gateways to send logs directly to syslog servers. Checkpoint supports RFC 3164 and RFC 5424. Can you share a sample of syslog messages that could not parse on the syslog server.</P><P>"Sending traffic to management server" is a good option, after enabling this you will able to see firewall traffic related logs and system messages together. I would not export it to additional syslog server,&nbsp;you can see both logs in management server.</P></BODY></HTML> Sun, 17 Jun 2018 05:15:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31768#M24882 Huseyin_Rencber 2018-06-17T05:15:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31769#M24883 <HTML><HEAD></HEAD><BODY><P>Hi Huseyin,</P><P></P><P>The issue we're having is that the messages are missing the hostname, timestamp, and syslog protocol version. This has been previously described under&nbsp;<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk100727.</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">We were investigating if it was a viable option to export the logs to the management server and export them out to an external syslog and parse it there, since they are exported in CEF format and that would allow us to parse the events.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">We are on R80.10 (with some install base on R77.30, to be brought to R80.10 in the next few months).&nbsp;We are not looking to install the hotfix described in the SK, as it will require extra maintainability, as well as introducing potentially less stable code on the chassis.</SPAN></P></BODY></HTML> Mon, 18 Jun 2018 05:47:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/31769#M24883 Tiago_Cerqueira 2018-06-18T05:47:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/151609#M24884 <P>poignant sarcasm on {</P><P>Meanwhile there is a fixed version R81 from take 34 (36), where this is inkluded. Only 12 years after the RFC has been "modernized" and 7 years after this has been mentioned in sk<SPAN>100727</SPAN>.</P><P>} poignant sarkassm off&nbsp;<span class="lia-unicode-emoji" title=":neutral_face:">😐</span></P> Thu, 23 Jun 2022 14:15:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Syslog-messages-from-the-Security-Gateway/m-p/151609#M24884 CarstenWeber 2022-06-23T14:15:15Z