cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

R80.10 API logs

Hi,

So we've been exporting our gateway *audit logs* regularly in 77.30 to splunk, and now we upgraded to 80.10.

With the new API, we are wondering if it's possible to export the logs of the API.

Let's say for example, if someone ran a "show group" command from the management server, it's log would be exported and seen on splunk.

Is it possible? 

 

0 Kudos
6 Replies
Highlighted

Re: R80.10 API logs

Have you tried the Log Exporter for that purpose (sk122323)?

You would need to install the Check_Point_R80.10_Log_Exporter_T50_sk122323_FULL.tgz package first as far as I can see and then I would refer you to the most relevant section for you:

Splunk

It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

For more information about installation and deployment, please see the Check Point App for Splunk User Guide.

In addition, in order to configure an encrypted connection, do the following:

1. Generate server pem file:
    cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

2. Update the inputs.conf file on the Splunk server
    vi /opt/splunk/etc/apps/search/local/inputs.conf

    [SSL]
    serverCert = /etc/ssl/my-certs/splunk.pem
    sslPassword = <challenge password>
    requireClientCert = true

    [tcp-ssl://<port>]
    index = <index>

3. Update the server.conf file on the Splunk server
    vi /opt/splunk/etc/system/local/server.conf

    [sslConfig]
    sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

4. Restart Splunk
    /opt/splunk/bin/splunk restart

 

I hope this helps.

Highlighted
Admin
Admin

Re: R80.10 API logs

All API sessions appear in the audit logs, which should get exported to Splunk via Log Exporter or LEA.
Highlighted

Re: R80.10 API logs

Hi, i am using log exporter but the only logs it exports are clish logs or ssh connections, but not the linux expert commands. is there any other configuration i need to make?

Highlighted
Admin
Admin

Re: R80.10 API logs

First of all, expert commands aren't logged at all by default, but clish commands are.
Log Exporter does not get the OS logs, but you can configure Gaia to send them via syslog in the WebUI or clish (can't remember the command offhand).
0 Kudos
Highlighted

Re: R80.10 API logs

ok, what about API commands through the expert, are they logged? it seems odd to me that you can't see what was searched with api...

Highlighted
Admin
Admin

Re: R80.10 API logs

mgmt_cli commands are API calls, just with a specific client.
You can see what calls are made via $FWDIR/log/api.elg.