cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Syslog messages from the Security Gateway

Hi,

We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.

I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.

What is the best course of action to achieve logging to an external server? What is usually used on these situations?

3 Replies
Admin
Admin

Re: Syslog messages from the Security Gateway

The "Send Traffic to the Management Server" options puts those logs in the same place you see your traffic logs.

Those, of course, can be exported from there with Log Exporter just like the traffic logs.

However, I don't know that it changes the format of the log entries any.

0 Kudos

Re: Syslog messages from the Security Gateway

Hi Tiago,

You can configure gateways to send logs directly to syslog servers. Checkpoint supports RFC 3164 and RFC 5424. Can you share a sample of syslog messages that could not parse on the syslog server.

"Sending traffic to management server" is a good option, after enabling this you will able to see firewall traffic related logs and system messages together. I would not export it to additional syslog server, you can see both logs in management server.

0 Kudos

Re: Syslog messages from the Security Gateway

Hi Huseyin,

The issue we're having is that the messages are missing the hostname, timestamp, and syslog protocol version. This has been previously described under sk100727.

We were investigating if it was a viable option to export the logs to the management server and export them out to an external syslog and parse it there, since they are exported in CEF format and that would allow us to parse the events.

We are on R80.10 (with some install base on R77.30, to be brought to R80.10 in the next few months). We are not looking to install the hotfix described in the SK, as it will require extra maintainability, as well as introducing potentially less stable code on the chassis.