https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263767#M13480 <P>Yes, you can send logs directly to a SIEM, but it is done locally on the Spark appliance, not through Smart-1 Cloud.</P> <P>Just go to the WebUI and create an external log server and check the system logs and security logs boxes.</P> <P>The downside is that the logs sent by Spark are a pain to parse, while Smart-1 cloud will give you a beautiful JSON.</P> <P>The upside is that you can send the logs to a local forwarder with a queue/cache and not lose logs in case the internet is down.</P> Thu, 27 Nov 2025 14:08:40 GMT Pedro_Espindola 2025-11-27T14:08:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263168#M13447 <P>Hi experts,</P> <P>We are currently using multiple Quantum Spark appliances managed by Smart-1 Cloud.<BR />We are planning to introduce an on-prem SIEM(include syslog feature) in order to perform correlation analysis<BR />together with logs from our other network devices.</P> <P>However, when using the Smart-1 Cloud Log Exporter, log forwarding is subject to<BR />ingestion-based billing. To avoid additional costs, we would prefer to have the<BR />Gateway itself send logs directly to our on-prem SIEM server.</P> <P>I would like to ask for clarification on the following points:</P> <P>1. Under Smart-1 Cloud management, is it possible for a Gateway to send logs<BR />both to an external SIEM server and to Smart-1 Cloud at the same time?</P> <P>2. If direct log forwarding from the Gateway is supported, does it require any<BR />additional licenses?</P> <P>Our intention is to continue using Smart-1 Cloud for management, while forwarding logs<BR />independently from the Gateway directly to our SIEM.</P> <P>If anyone has experience with this setup or detailed knowledge of the official<BR />specifications, your guidance would be greatly appreciated.</P> <P>Thank you in advance.</P> Wed, 19 Nov 2025 01:47:54 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263168#M13447 TSOL 2025-11-19T01:47:54Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263195#M13449 <P>Typically configuring a syslog server entry in GAiA OS would yield only local OS logs, security logs come via the Management.</P> Wed, 19 Nov 2025 10:25:11 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263195#M13449 Chris_Atkinson 2025-11-19T10:25:11Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263196#M13450 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/63380">@TSOL</a>&nbsp;</P> <P>Maybe this is what are you looking for <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P><A href="https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/CLI/EN/Content/Topics/add-netflow-collector.htm" target="_blank">https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/CLI/EN/Content/Topics/add-netflow-collector.htm</A></P> <P>Akos</P> Wed, 19 Nov 2025 10:35:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263196#M13450 AkosBakos 2025-11-19T10:35:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263328#M13451 <P>For regular (non-SMB) gateways, there is:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk87560" target="_blank">https://support.checkpoint.com/results/sk/sk87560</A>&nbsp;<BR />Note this only gets firewall logs, not logs for other blades.<BR />Not sure you can set an external syslog server for security logs on a centrally managed SMB.</P> Thu, 20 Nov 2025 15:39:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263328#M13451 PhoneBoy 2025-11-20T15:39:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263329#M13452 <P>Not sure SIEMs can injest Netflow.<BR />Also, Netflow only communicates active connections.</P> Thu, 20 Nov 2025 15:41:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263329#M13452 PhoneBoy 2025-11-20T15:41:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263767#M13480 <P>Yes, you can send logs directly to a SIEM, but it is done locally on the Spark appliance, not through Smart-1 Cloud.</P> <P>Just go to the WebUI and create an external log server and check the system logs and security logs boxes.</P> <P>The downside is that the logs sent by Spark are a pain to parse, while Smart-1 cloud will give you a beautiful JSON.</P> <P>The upside is that you can send the logs to a local forwarder with a queue/cache and not lose logs in case the internet is down.</P> Thu, 27 Nov 2025 14:08:40 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263767#M13480 Pedro_Espindola 2025-11-27T14:08:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263768#M13481 <P>In Spark appliances, both system logs and security logs are available. They are Gaia Embedded, a whole different creature.</P> Thu, 27 Nov 2025 14:10:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Direct-log-forwarding-from-Quantum-Spark-to-on-prem-SIEM/m-p/263768#M13481 Pedro_Espindola 2025-11-27T14:10:08Z