Good morning Simone and thank you for the quick response.  I used the GAIA portal and SmartConsole to make the config changes.  

Afterwards, I installed the database in SmartConsole

Then I restarted the syslog svc on each of my gateways:

[Expert@HostName]# syslog -u ; syslog -r

Then I restarted the Check Point services on my logging server:

[Expert@HostName]# cpstop ; cpstart

GAIA Portal

aia Portal

Ok, I'm checking it because as you experienced, only access in expert mode is logged, while the ssh access performed from a user with CLI shell is not logged: I haven't noticed this before, because I usually setup bash for the users.

Admin guide doesn't report any difference between CLISH and EXPERT access.

Yep - and also there are no syslogs for GAIA portal access.  I would think this is important as well as I'd like to know when the portal is accessed (I mean It's just me and my boss, but still...it would be nice to have logging here.) 

These GAIA portal access messages show up in /var/log/messages. 

Hey Joe,

Did you run these commands Somine mentioned yesterday?

set syslog cplogs on

set syslog mgmtauditlogs on

set syslog auditlog permanent

Well, I used the GAIA portal to make the same changes as I would have through CLISH.

K, got it, fair enough. Does anything come up in the logs if you simply search by typing clish?

Nope.

Hello

even on my firewalls I applied the commands reported in the admin guide, and only SSH access with EXPERT shell is logged.

set syslog filename /var/log/messages
set syslog cplogs on
set syslog mgmtauditlogs on
set syslog auditlog permanent

what an unexpected behaviour.

Right?  It should show CLISH access and GAIA portal access as well as Expert mode access.  Do you see the Blade as "syslog" in your lab?  I do not.  

I see all my logs in Audit log.

No, I only have Expert mode access, here is an example of the log collected.

Time: 2026-03-25T16:12:58Z
Id: 5118e80a-5801-bb00-69c4-098a2fc90000
Sequencenum: 467
Subject: Administrator Expert Shell login
Administrator: ifi_backup
Operation: Log In
Client IP: xxx.xxx.xxx.xxx
General Information: SSH connection by ifi_backup user to Expert Shell
Device Name: xxxxxxxxxxxxxx
Device Type: GW
Two-Factor Authentication: Disabled
Sendtotrackerasadvancedauditlog:0
Type: Audit
Application: Expert Shell
Origin: xxxxxxxxxxxxxxxx
Product Family: Network
Marker: @A@@B@1774393201@C@542
Log Server Origin: xxx.xxx.xxx.xxx
Origin Log Server IP: xxx.xxx.xxx.xxx
Domain: xxxx
Severity: Informational
Stored: true
Corename: http://127.0.0.1:8210/solr/audit_2026-03-25T00-00-00
Description: ifi_backup logged ln to Expert Shell

I found this but I'm not sure how he made it show GAIA logins:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Admin-account-login-alert/td-p/....

If you follow the steps in the SK102995, you can configure the firewall to send logs using syslog protocol directly to the management, instead of using native port 257; I'm not sure that in this configuration, you should be able to see all the login attempts or only the expert access like now.

You could try, but in any case I haven't found anything that could explain why only expert access are logged (especially because everything is logged into /var/log/messages).

I agree.  It seems that if it shows up in /var/log/messages, you should be able to ship it via syslog.

I forgot to ask you - where are you seeing your logs for ssh Expert access?  In your Audit logs correct?  Not sure why the Admin guide says that you'll see syslog events in your regular Smartlogs and the Blade will appear as "syslog"

1. View the syslog messages as usual Check Point logs in SmartLog

   Notes:

   • In SmartLog logs, the "Blade" field show "Syslog"
     
     
   • If Gaia OS syslog messages are exported from a VSX Gateway / VSX Cluster members managed by a Multi-Domain Security Management Server, then connect with SmartLog to the Main Domain Management Server where the object of VSX Gateway / VSX Cluster is defined (because Gaia OS syslog messages are sent from the context of VSX Gateway / VSX Cluster member itself - VS0).
   • Default port for the syslog is 514.  There is no option to change this port. 

Is this all R82? 

R81.20