https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232976#M38929 <P>Yes, in our case the gateway has correctly connected to the IC.</P><P>The status shows that the last event sent at 12:11. Can you tell me where on the gateway I can view this event? Or where should the events on the gateway be displayed?</P><P>I apologize. Perhaps I could find the answers to these questions in the documentation. But I can't do that yet.</P> Mon, 18 Nov 2024 09:22:04 GMT Polina_1 2024-11-18T09:22:04Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232929#M38913 <P>Hello.</P><P>We need to configure Identity Collector to receive information via syslog. We have configured Syslog Parser correctly, we checked in the Test messages field, everything works correctly.<BR />Then we did everything as described in AdminGuide. But for some reason no events are received.</P><P>&nbsp;</P><P>Can you please tell me where we could have made a mistake in the configuration? How can we see if the messages reach the Identity Collector? Maybe it is a cosmetic error in the status.<BR />I would be glad to have any information on this topic, as AdminGuide doesn't really cover this in detail.</P><P>&nbsp;</P> Sat, 16 Nov 2024 08:46:06 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232929#M38913 Polina_1 2024-11-16T08:46:06Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232930#M38914 <P>I remember few months ago, in the summer, I was helping a customer who had this issue and TAC discovered it had something to do with the certificate on the server where IC was installed. Btw, also, can you verify all gateways show as connected?</P> <P>Andy</P> Sat, 16 Nov 2024 12:35:50 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232930#M38914 the_rock 2024-11-16T12:35:50Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232936#M38916 <P>Yes, the gateway is correctly connected to the IC.</P><P>Could you please elaborate more on what the problem was with the certificate?</P><P>Actually I don't even know what to look at to identify the problem.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 17 Nov 2024 08:57:05 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232936#M38916 Polina_1 2024-11-17T08:57:05Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232945#M38917 <P>I would have to check my notes, but if you are allowed to, we can do remote and happy to try assist.</P> <P>Let me know.</P> <P>Andy</P> Sun, 17 Nov 2024 15:02:46 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232945#M38917 the_rock 2024-11-17T15:02:46Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232949#M38918 <P>Just checked the notes I have and their issue was related to gateway not connecting in IC, which yours is, so not the same.</P> <P>Andy</P> Sun, 17 Nov 2024 17:10:24 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232949#M38918 the_rock 2024-11-17T17:10:24Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232976#M38929 <P>Yes, in our case the gateway has correctly connected to the IC.</P><P>The status shows that the last event sent at 12:11. Can you tell me where on the gateway I can view this event? Or where should the events on the gateway be displayed?</P><P>I apologize. Perhaps I could find the answers to these questions in the documentation. But I can't do that yet.</P> Mon, 18 Nov 2024 09:22:04 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232976#M38929 Polina_1 2024-11-18T09:22:04Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232980#M38931 <P>Dont apologize, we are here to help. Yes, thats where you see it. But, here is the question...do you have correct AD info configured under sources? I will take screenshot later and send.</P> <P>Andy</P> Mon, 18 Nov 2024 11:54:10 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232980#M38931 the_rock 2024-11-18T11:54:10Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232983#M38933 <P>We configured the sources as follows. I've attached a screenshot.</P><P>&nbsp;</P> Mon, 18 Nov 2024 12:18:51 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232983#M38933 Polina_1 2024-11-18T12:18:51Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232989#M38936 <P>That looks right to me. At this point, if you are not seeing any events, you may need to do traffic capture to see why.</P> <P>Andy</P> Mon, 18 Nov 2024 12:55:03 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232989#M38936 the_rock 2024-11-18T12:55:03Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232990#M38937 <P>We have done traffic capture on the server where IC is installed. The required events are received. I have also attached a screenshot.<BR />We also turned off the firewall on Windows. To exclude the problem in that. But all to no success.</P> Mon, 18 Nov 2024 13:05:30 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232990#M38937 Polina_1 2024-11-18T13:05:30Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232991#M38938 <P>I meant capture on the firewall. We need to see if fw is having problems communicating properly. Have you done zdebug to see if anything related to IC is getting dropped?</P> <P>Andy</P> Mon, 18 Nov 2024 13:08:26 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/232991#M38938 the_rock 2024-11-18T13:08:26Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234575#M39179 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/85881">@Polina_1</a>&nbsp;Did you manage the resolve the issue? It seems we're having exactly the same issue here.</P> Wed, 04 Dec 2024 10:55:45 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234575#M39179 kamilazat 2024-12-04T10:55:45Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234589#M39183 <P>Hi,</P><P>No, we didn't succeed in solving that problem.<BR />We used a Network Access Control (NAC) server as the source of the syslog messages.<BR />I believe that the IC server expects to receive the following events:</P><P>Authentication events - 4624, 4768, 4769, 4770<BR />Group update events - 4728, 4729, 4732, 4733, 4756, 4757<BR />Group deletion events - 4730, 4734, 4758</P><P>Source: <A href="https://support.checkpoint.com/results/sk/sk108235" target="_blank">https://support.checkpoint.com/results/sk/sk108235</A></P><P>Our NAC server did not generate any such events. Therefore, our testing ended with a negative result.</P><P>&nbsp;</P> Wed, 04 Dec 2024 12:31:25 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234589#M39183 Polina_1 2024-12-04T12:31:25Z https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234590#M39184 <P>I see. At this point I wonder if the events are limited to those or not. Admin Guide also mentions the exact same events.</P><P>&nbsp;</P> Wed, 04 Dec 2024 12:39:57 GMT https://community.checkpoint.com/t5/General-Topics/Identity-Collector-Syslog-messages/m-p/234590#M39184 kamilazat 2024-12-04T12:39:57Z