topic Re: Custom syslog port in Firewall and Security Management

Custom syslog port

Simon_Macpherso — Tue, 06 Jun 2023 03:15:37 GMT

Hello,

Can you please provide responses to the following syslog configuration related questions.

1. Is is possible to send syslog on a port other than the default UDP 514, possible by modifying configuration files /etc/syslog.conf or /etc/sysconfig/syslog? I have set up a remote syslog target which is listening on a different port.

2. Is it required to modify the fwsyslog_enable kernel parameter on each gateway to 1, to enable syslog. This is not specified in the r81.20 admin guide, however is it stated as a requirement in the r81.20 logging and monitoring admin guide.

Regards,

Simon

Re: Custom syslog port

PhoneBoy — Tue, 06 Jun 2023 04:09:59 GMT

The answer to both questions is here: https://support.checkpoint.com/results/sk/sk87560
Looks like you can use a different port and you shouldn't use fwsyslog_enable unless TAC suggests it.

Re: Custom syslog port

Simon_Macpherso — Tue, 06 Jun 2023 04:44:04 GMT

This is not what I'm after.

That SK outlines how to 'How to configure Security Gateway on Gaia OS to send FireWall logs to an external Syslog server'.

I'm already sending firewall logs from all gateways to remote log servers, and from there using log exporter to send in to Splunk.

I'm referring specifically to configuring syslog on individual gateways to send Gaia system messages and audit events only to a remote syslog server. And we want to send this to the remote server on a custom port.

It's interesting that SK also states at the bottom of the document that the fwsyslog_enable parameters is "is intended for optimization of logging performance in environments that require high log rates.Do not enable this kernel parameter unless explicitly instructed by Check Point Support.", as there is no mention of that in the Logging and Monitoring R80.20 Administration Guide, > Logging > Working with Syslog Servers section.

Re: Custom syslog port

Simon_Macpherso — Tue, 06 Jun 2023 06:24:52 GMT

Got an answer from TAC. There is no way to change the default so I've had to NAT the traffic.

Re: Custom syslog port

PhoneBoy — Tue, 06 Jun 2023 19:23:59 GMT

Ah yes, that's a beast of a different color.
You might be able to make the relevant change in /etc/rsyslog.conf and make the file immutable so the OS doesn't overwrite it.
However, that falls into "unsupported" category.