This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
Ed_Gonzalez
Employee
Employee
‎2018-09-16 05:06 PM

Audit Logs & Log Exporter in AWS FWs

There has been some more clarifications on the subject since last time. I've got an on premise management handling the AWS/Assure FWs. I know logs are pushed to the management by default.

Questions:

How do we manage the /var/log/audit/audit.log?

I was thinking utilizing log exporter to copy the data to an on premise log server as a solution. Don't know if this is the only option. We are trying to minimize any future issues related to internal audits.

Thanks,


E

4 Replies
PhoneBoy
Admin
Admin
‎2018-09-16 08:25 PM

I assume since you're a Check Point employee, you're asking this for a customer. Smiley Happy

Log Exporter only exports Security Management logs.

It does not export Gaia OS logs, many of which are exported with syslog in Gaia.

audit.log in particular is not included in this by default.

The standard "Linux" ways to do this suggest using a plugin to audispd to send the information to syslog.

This plugin doesn't exist on Gaia and I presume adding it would be an RFE. 

You might be able to use the logger utility to pipe this information to syslog, but I haven't tried this.

0 Kudos
Ed_Gonzalez
Employee
Employee
‎2018-09-16 09:06 PM
In response to PhoneBoy

Hi Phoneboy, Yes, I'm an SE in Houston. Interesting, good info on the Log Exporter. Hmm...I might run it by Rodrigue to find out if he has run into this possible issue. Again, no one is asking about it yet but I do have a possible client that will be inquiring about it.  

Looking forward seeing you this week in Houston!  Maybe we can bounce some ideas or I'll have an answer by then to share.

Ed

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-16 09:11 PM
In response to Ed_Gonzalez

Ah yes, I will be there on Tuesday Smiley Happy

0 Kudos
Ed_Gonzalez
Employee
Employee
‎2018-09-16 09:16 PM
In response to PhoneBoy

Excellent! I'm trying to get other customer to attend. They are curious to see the R77.30 to R80.10(20) migration guideline.  We have pro services helping them.

Thanks,

Ed