https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99786#M78059 <P><STRONG>Yes </STRONG>to most questions &amp; please read the log-Exporter sk (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" target="_self" rel="noopener noreferrer">sk122323</A>), as Val suggested.</P> <P><BR />to answer your last question:<BR /><SPAN>"Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?"</SPAN></P> <P><SPAN>Not exactly, an HA/Backup like system for log-exporting (cp_log_export) is not currently available. You can simply send simultaneously to 2 different syslog servers = duplication.<BR />BUT assuming you have 2 different log-servers when one is a backup Log-Server for 1 GW (you can configure that), then you can configure both to export to same syslog server.<BR />and only once the backup LS starts actually logging (once Primary Log-Server is down for any reason), it'll actually export these logs.<BR />that is a sort-of backup active/passive log-exporter, but it depends on the base Log-Server receiving the logs.<BR /><BR />Hope that helped.</SPAN></P> Thu, 22 Oct 2020 07:04:06 GMT Dror_Aharony 2020-10-22T07:04:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99783#M78057 <P>Hello</P><P>I'm trying to onboard Check Point logs at the moment and could need some help.</P><P>The goal is to send all Logs to a Syslog server and then bring them into a log pipeline.</P><P>As I understand Check Point has two log sources: traffic and security logs are exported from the MDS log server with "cp_log_export" and the audit logs and device logs from the gateways are configured with the clish syslog commands. Is that correct?</P><P>Now I face these problems:</P><P>Is there a way to send gateway (GAIA) logs via TCP or even syslog over TLS?</P><P>Can you export the "cp_log_export" via syslog but still use the Splunk app?</P><P>Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?</P><P>Thanks a lot for the help.</P><P>Cheers</P> Thu, 22 Oct 2020 06:41:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99783#M78057 Logger 2020-10-22T06:41:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99785#M78058 <P>Please read&nbsp;<SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" target="_self">sk122323</A>, you should have all the answers there</SPAN></P> Thu, 22 Oct 2020 06:54:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99785#M78058 _Val_ 2020-10-22T06:54:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99786#M78059 <P><STRONG>Yes </STRONG>to most questions &amp; please read the log-Exporter sk (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" target="_self" rel="noopener noreferrer">sk122323</A>), as Val suggested.</P> <P><BR />to answer your last question:<BR /><SPAN>"Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?"</SPAN></P> <P><SPAN>Not exactly, an HA/Backup like system for log-exporting (cp_log_export) is not currently available. You can simply send simultaneously to 2 different syslog servers = duplication.<BR />BUT assuming you have 2 different log-servers when one is a backup Log-Server for 1 GW (you can configure that), then you can configure both to export to same syslog server.<BR />and only once the backup LS starts actually logging (once Primary Log-Server is down for any reason), it'll actually export these logs.<BR />that is a sort-of backup active/passive log-exporter, but it depends on the base Log-Server receiving the logs.<BR /><BR />Hope that helped.</SPAN></P> Thu, 22 Oct 2020 07:04:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-MDS-Gateway-Logs/m-p/99786#M78059 Dror_Aharony 2020-10-22T07:04:06Z