Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kb1
Collaborator

Sending logs to logrhythm

I have a question regarding sending logs from each firewall (we have multiple firewalls, most running on R80.20, some on R80.40 and a few on do R77) to logrhythm.

Do we have to configure logging on each firewall so that each firewall sends the logs to the logrhythm server or do we have to configure only the management server so that the mgmt server itself can send all the logs that it receives from all the firewalls to logrhythm? We already have the management server configured to send all logs to the logrhythm server and getting reports saying that for a lot of firewalls the logs are not being sent to logrhythm.

Thank you.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

The way to do this is via Log Exporter from the Management/Log Server.
Possible there's a filter configured which is causing some logs not to be sent.

0 Kudos
kb1
Collaborator

Thanks for replying and yes log exporter has been configured already on the mgmt server, when you say a filter is configured that prevents some logs from not being sent what do you you exactly mean? As far as I am aware there shouldn't be anything blocking logs from being sent over to logrhythm but I could be wrong, where do I get started on trying to troubleshoot this filter that you are talking about?

Thank you

0 Kudos
PhoneBoy
Admin
Admin

It's part of the Log Exporter configuration.
Refer to the filtering section here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Gomboragchaa
Advisor

Where did you see the logs are not sent to logrhythm?

Did you try tail on LR side? If there isn't log on LR tail, check the log-exporter config again. It could be log exporter service stopped or something wrong on config...

0 Kudos
kb1
Collaborator

Sorry about the late reply but we have the logexporter configured on the management server to send logs to the logrhythm server, the doubt that the logrhythm team has is how can they check if the logs that they are seeing are from every firewall that are sending logs to the mgmt server? When you say tail how do we check the tail on logrhythm side? Will checking the tail show that logs are being sent from every firewall? Do we have to look for the name of the Firewalls in the tail?

0 Kudos
PhoneBoy
Admin
Admin

You have to verify on the LogRhythm side that logs are being received from every gateway by checking to see if you see logs from those gateways.
Not aware of the specifics on how to do that.

0 Kudos
kb1
Collaborator

Ok I will let them know to check and see what they are seeing on the tail logs, thank you.

0 Kudos