This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cwilliams
Employee Alumnus
Employee Alumnus
‎2020-02-05 05:29 AM
Jump to solution

CloudGuard IaaS logging to GCP Stackdriver

Hello,

Looking for some documentation regarding if and how CloudGuard IaaS devices can log to the GCP Stackdriver module in Google Cloud. Is there any related documentation around the topic?

Thanks.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-02-07 12:08 PM
Jump to solution

If necessary, you can take the alternative way via syslog-ng premium edition.

Cloud Guard laaS Management LogExporter  -----(via syslog)----> syslog-ng Premium Edition --- (via HTTP REST API) ----> Google Stackdriver 

The stackdriver destination of syslog-ng PE can send log messages to the Google Stackdriver cloud. Google Stackdriver is a widely used metrics, event, and log aggregator and analyzer system. The stackdriver destination is available in syslog-ng PE version 7.0.14 and later.

The stackdriver destination uses the HTTP REST API to perform OAuth2 authentication to Google Stackdriver and obtains an access token from Stackdriver using the key specified in a JSON file. This access token is required to send logs to Stackdriver using the Stackdriver Logging API.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 01:03 AM
Jump to solution

Not knowing anything about GCP Stackdriver, I assume if it can ingest logs via syslog, they can be sent via Log Exporter.
If or how that exactly works, I don't know.
0 Kudos
cwilliams
Employee Alumnus
Employee Alumnus
‎2020-02-07 06:49 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy, you are correct LogExporter can be leveraged to send logs via syslog or whichever context Stackdriver looks for, I am not sure.

That being said there are also GCP project native Stackdriver logs which should be available when checking the enable Stackdriver checkbox when provisioning the instance in question.

I have uncovered that the default service account is used to communicate with the GCP APIs, not the gateway. As a result we identified that the default service account was not active for the project.

Thanks.

HeikoAnkenbrand
Champion Champion
Champion
‎2020-02-07 12:08 PM
Jump to solution

If necessary, you can take the alternative way via syslog-ng premium edition.

Cloud Guard laaS Management LogExporter  -----(via syslog)----> syslog-ng Premium Edition --- (via HTTP REST API) ----> Google Stackdriver 

The stackdriver destination of syslog-ng PE can send log messages to the Google Stackdriver cloud. Google Stackdriver is a widely used metrics, event, and log aggregator and analyzer system. The stackdriver destination is available in syslog-ng PE version 7.0.14 and later.

The stackdriver destination uses the HTTP REST API to perform OAuth2 authentication to Google Stackdriver and obtains an access token from Stackdriver using the key specified in a JSON file. This access token is required to send logs to Stackdriver using the Stackdriver Logging API.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
ute
Participant
‎2020-02-07 01:05 PM
In response to HeikoAnkenbrand
Jump to solution

This is exactly what we have been doing in our environment. We just do not use a gateway in the cloud. But I think this should also work on a cloud gateway with the log exporter.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events