cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Nofar_a
Iron

export /var/log/audit/audit.log via syslog

Hi guys!

Any idea as to how to export /var/log/audit/audit.log from R77.30 GW?

Normally I would have done it with audispd, but it's missing from the GW.

Thanks!

Labels (1)
6 Replies
Nofar_a
Iron

Re: export /var/log/audit/audit.log via syslog

Hi Marco,

Thanks for the reply. 

However, I'm interested in exporting /var/log/audit.log and not /var/log/messages.

0 Kudos

Re: export /var/log/audit/audit.log via syslog

I get it now , not an helpful reply from me Smiley Happy

0 Kudos

Re: export /var/log/audit/audit.log via syslog

normally your audit log is only on management, so is this a self contained sGW? You can use log exporter, which will export both security logs and audit logs in syslog format.

Regards, Maarten
0 Kudos
Nofar_a
Iron

Re: export /var/log/audit/audit.log via syslog

Hi Maarten,

I tried using Log exporter (SK122323), but still only able to send /var/log/messages Smiley Sad

0 Kudos

Re: export /var/log/audit/audit.log via syslog

Please tell a bit more about the environment? On which machine are you running this log exporter?

Regards, Maarten
0 Kudos

Re: export /var/log/audit/audit.log via syslog

To clarify, think the original question is asking about Linux auditing which I don't think is fully implemented in Gaia, or at least exposed or documented for the end user. See reference here; Suse Doc: Security Guide - Understanding Linux Audit. The facility is there as is the file /var/log/audit/audit.log.

Let's not confuse this with audit logs from the Check Point management server, for instance this network object was added, this security policy rule is changed, etc. and security logs from the gateways connected to the management server. These are included by default when you use Log Exporter.

Back to the original question if you want to receive auditd events via syslog, there are some configuration files in /etc/audit such as audit.rules and auditd.conf, but don't think we have plugins for sending these via syslog. Could be wrong. Would have to check with a Gaia expert if you need a definitive answer.

Device syslog logs can of course be set up using the Gaia web UI or the clish CLI.