Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marki
Contributor

sk115392: "How to export Check Point logs to a Syslog server using CPLogToSyslog"

Introductory note: Since some documents haven't been given the little love they deserve IMHO, I'm going to document my findings and proposals for improving them here, for everyone's benefit. Usually, I've tried giving feedback in said articles, but either they didn't change anything (even though they said I was correct) or they just didn't understand what I meant.

So, about sk115392:

Apart from the fact that this seems all very complicated and that logging to a Syslog server should be built-in to start with, this is a rather well-written sk article.

However, "installation instructions" contain conflicting information. The main page says Take 56 is ok, while the download page states that only Take 42 is supported.

Furthermore, in the meantime, Take 70 has been released... so somehow this solution is always running behind and it's not clear if we can upgrade without any danger or not. Which would not be the case if syslogging was built-in as I said.

8 Replies
PhoneBoy
Admin
Admin

CPLogToSyslog is being replaced with a different solution that I would expect to work on the most recent Jumbo Hotfix.

It has been referred to as the LogOut project here and is expected in relatively short order.

PhoneBoy
Admin
Admin

Just to clarify, up to Take 56 is ok.

The SK team will update the documentation to clarify all this next week.

0 Kudos
Sarm_Chanatip
Collaborator

Hell Dameon,

I got an error message during verify Package as below.


Verifier results
Package: Check_Point_CPLogToSyslog_R80.10_GA_jhf_T56_FULL.tgz
Installation is not allowed.
Reason:
A fix conflict was detected during pre-install validation.
To prevent system instability, installation will not continue.
Please contact Check Point support with the following information:

Package: Check_Point_CPLogToSyslog_R80.10_GA_jhf_T56_FULL.tgz
conflicts with the following hotfixes:

R80.10 Jumbo Hotfix Accumulator (Take 103)
R80_10_New_Image

For more information - see log files:
/opt/CPInstLog/CRSValidator_fw1_wrapper_CPLTOSL__R80_10.log

This tool is not compatible with Take 103, right ? If yes I will need to contact checkpoint support to request "CPLogToSyslog_R80.10_GA_jhf_Tx_FULL.tgz" which is  Take42 or Take56 that cover to it ?

Thank you in advance.

0 Kudos
PhoneBoy
Admin
Admin

Right, CPLogToSyslog is not compatible with more recent takes of R80.10.

Log Exporter has officially replaced CPLogToSyslog and should be used going forward.

Log Exporter guide

0 Kudos
Sarm_Chanatip
Collaborator

Hell Dameon.

Thank you for reply.

One more thing, This can be only done via cli, right ? I used to set on R77.30 via SmartDashboard after installing add-on package on Management Server. But R80.10 I'm a new with this tool utilization.


Thank you in advance. 

0 Kudos
PhoneBoy
Admin
Admin

Right, this is a CLI tool.

It's important to note the difference between the syslog functionality you describe in SmartDashboard R77.30 + Add On and the Log Exporter tool.

Specifically that system exports firewall logs only (not other blades) from the security gateway directly.

Log Exporter gets all blade logs and exports from the management server.

Note that while we do plan to bring back the option to enable syslogs to be sent from the gateway in R80.20 (R80.10 does not have the option), it will still be firewall logs only (not other blades).

Hope that clarifies things.

Sarm_Chanatip
Collaborator

Hello Dameon,

Thank you for you answer. 

Note that while we do plan to bring back the option to enable syslogs to be sent from the gateway in R80.20 (R80.10 does not have the option), it will still be firewall logs only (not other blades).

Hope that clarifies things.

from above you mean in R80.20 we will able to enable syslog on gateway or just install Add On package on Management as like R77.30, because gateway is configured to send traffic log to management then all of logs should be sent by Management.

Thank you in advance.

0 Kudos
PhoneBoy
Admin
Admin

You won't require an add-on to enable firewall syslogs sent directly from the gateway in R80.20.

This is equivalent to what you describe in R77.30 with the add-on.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events