This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sandeepsutar
Participant
3 weeks ago

Handling Log Exporter in Management HA with dual "Primary" log servers.

Hi Everyone,

Setup: Management server in HA, Hardware: open server, OS: R82.10.

I have a Management HA setup where both servers are configured as Primary Log Servers (Gateways are sending logs to both simultaneously). I've configured Log Exporter on Mgmt1 to forward to our SIEM, and it’s working fine.

The issue is failover. Our SIEM does not support deduplication, so I can't run the exporter on both management servers at the same time without doubling our data. The client also wants to keep the dual-primary logging config, so I can't switch to a Primary/Secondary log server hierarchy.

Is there a standard way to automate an "Active/Standby" behavior for the Log Exporter process? I'm looking for a way to have the exporter start on Mgmt2 only if Mgmt1 goes down, without manual CLI work.

Any scripts or best practices for tying cp_log_export to the HA state?

 

Regards,

@Magnus-Holmberg , @the_rock , @PhoneBoy 

0 Kudos
1 Reply
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
3 weeks ago

There's no standard way to automate this, it would require external monitoring of something and thus the external tool starting and stopping log exporter on the standby mgmt server. 

If the customer has their gateways configured to forward logs to the primary mgmt server at midnight (will be the default for new gateways created in R82.10 mgmt servers onwards) then the logs will all end up at the SIEM eventually, after the local logs that spool up on the gateways while the server is down are picked up and sent over. Else the recommended solution would be log distribution and a SIEM connection to both mgmt servers, but then the customer loses the duplication of logs at the log servers.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events