CPLogToSyslog Utility Now GA

PhoneBoy · ‎2017-06-13

Check Point has recently made available publicly a tool that allows you to export Check Point logs from the management to a syslog server.

Refer to the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog

Tom_Cripps · ‎2017-12-06

I've just done a little capture on Wireshark on my Log Server and it looks to be recieving on port 514 which is a UDP port for Syslog and there is also more fields listing UDP and not TCP? Have a look see what you think?

Vladimir · ‎2017-12-06

I think you are missing :lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}" section in your config. Check my pdf page 6 for references.

Tom_Cripps · ‎2017-12-06

We removed it as it would make duplicate records and would affect our monitor software and make false results? How necessary is it?

Vladimir · ‎2017-12-06

As far as I understand it, the audit_input_session, unlike log_input_session is responsible for forwarding administrative action log to the syslog. In other words, things that you used to see in the "Management" tab of the SmartView Tracker.

In the absence of the definition in the $FWDIR/state/SEAM/local.cplogtosyslog_policy.C these parameters may be filled with default values defined elsewhere which, in turn, may cause unexpected behavior.

Tom_Cripps · ‎2017-12-07

What i will say is we only see the log_input_session traffic at our server, so i don't think that could be an issue but it's food for thought. I think the bottom line is the fact that we're running on TCP and not UDP, and with TCP with being stateful, it'll see an error and just stop sending traffic won't it.

Tom_Cripps · ‎2017-12-07

We still have issues with the original file we get given from Checkpoint so that's why i think it's not an issue to do with a field.

Kosin_Usuwanthi · ‎2018-01-31

Hi

I found problem cplogtosyslog stop send logging after upgrade hotfix to take56.

I try stop/start cplogtosyslog it can send logging about 1-2 minutes then stop again.

please help to advice.

KennyManrique · ‎2018-01-31

Hello Kosin,

Maybe your problem is because the last Jumbo Version approved for CPLogToSyslog is HFA42

Regards.

Kosin_Usuwanthi · ‎2018-01-31

I tried rollback hotfix to #T42 and install lastest version for CPLogToSyslog but still not working.

Already open case to TAC but waiting to investigate with R&D team.

DR_74 · ‎2018-01-31

Hello,

Is there a way to modify the log content, with less fileds than we have now?

For example, I get this in my syslog server

01-31-2018 23:50:52 Lpr.Notice 10.88.9.1 Wed Jan 31 23:51:23 GW1 LOG GW1: ContentVersion: 5; Uuid: {0x5a72486a,0x0,0x109580a,0xc0000001}; SequenceNum: 4; Flags: 16384; Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1; Alert: ; LogId: 0; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; log_type: connection; is_first_for_luuid: 131072; hll_key: 9176802383052573599; inzone: Internal; outzone: External; service_id: domain-udp; src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; NAT_rulenum: 4; NAT_addtnl_rulenum: 1; protocol: DNS-UDP; sig_id: 4; context_num: 1; match_id: 7; match_table.match_id: 7(+)16777218; layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145; match_table.layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145(+)fa8c5735-756d-4a7c-b16a-7a3b42fcf1ad; layer_name: Network; match_table.layer_name: Network(+)URL FILTER; rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627; match_table.rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627(+)22d4d6e4-f19d-461b-92c8-1cec78604ea0; rule_name: ; match_table.rule_name: (+)Cleanup rule; rule_action: 2; match_table.rule_action: 2(+)2; parent_rule: 0; match_table.parent_rule: 0(+)0; aba_customer: SMC User; date: 31Jan2018; hour: 23:51:22; type: connection; Interface: < eth1; ProductName: VPN-1 & FireWall-1; svc: 53; sport_svc: 56208; xlatedport_svc: ; xlatesport_svc: 36370;

Is it possible to get that?

01-31-2018 23:50:52 Lpr.Notice 10.88.9.1 Wed Jan 31 23:51:23 GW1 LOG GW1: Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1; src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; protocol: DNS-UDP;

Thank you

PhoneBoy · ‎2018-01-31

I'm not aware of a way to modify the syslog output (but maybe I'm wrong).

I believe this is planned for the LogOut project in any case.

Tom_Cripps · ‎2018-02-01

Hi Romain,

If you get tricky with the filtering you can reduce the results slightly. But not to that extent you wish for.

Martin_Schagerl · ‎2018-02-06

hi @ll,

does this add some more significant load to the machines or is it safe to install?

Are you a member of CheckMates?