This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2017-06-13 05:45 AM

CPLogToSyslog Utility Now GA

Check Point has recently made available publicly a tool that allows you to export Check Point logs from the management to a syslog server.

Refer to the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog 

42 Replies
Tom_Cripps
Advisor
‎2017-12-06 07:39 AM
In response to Vladimir

I've just done a little capture on Wireshark on my Log Server and it looks to be recieving on port 514 which is a UDP port for Syslog and there is also more fields listing UDP and not TCP? Have a look see what you think?

0 Kudos
Vladimir
Champion
Champion
‎2017-12-06 09:03 AM
In response to Tom_Cripps

I think you are missing :lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}" section in your config. Check my pdf page 6 for references.

0 Kudos
Tom_Cripps
Advisor
‎2017-12-06 09:07 AM
In response to Vladimir

We removed it as it would make duplicate records and would affect our monitor software and make false results? How necessary is it?

0 Kudos
Vladimir
Champion
Champion
‎2017-12-06 10:50 AM
In response to Tom_Cripps

As far as I understand it, the audit_input_session, unlike log_input_session is responsible for forwarding administrative action log to the syslog. In other words, things that you used to see in the "Management" tab of the SmartView Tracker.

In the absence of the definition in the  $FWDIR/state/SEAM/local.cplogtosyslog_policy.C these parameters may be filled with default values defined elsewhere which, in turn, may cause unexpected behavior.

0 Kudos
Tom_Cripps
Advisor
‎2017-12-07 12:53 AM
In response to Vladimir

What i will say is we only see the log_input_session traffic at our server, so i don't think that could be an issue but it's food for thought. I think the bottom line is the fact that we're running on TCP and not UDP, and with TCP with being stateful, it'll see an error and just stop sending traffic won't it.

0 Kudos
Tom_Cripps
Advisor
‎2017-12-07 12:54 AM
In response to Tom_Cripps

We still have issues with the original file we get given from Checkpoint so that's why i think it's not an issue to do with a field. 

0 Kudos
Kosin_Usuwanthi
Collaborator
‎2018-01-31 02:29 AM

Hi

I found problem cplogtosyslog stop send logging after upgrade hotfix to take56.

I try stop/start cplogtosyslog it can send logging about 1-2 minutes then stop again.

please help to advice.

0 Kudos
KennyManrique
Advisor
‎2018-01-31 05:45 AM
In response to Kosin_Usuwanthi

Hello Kosin,

Maybe your problem is because the last Jumbo Version approved for CPLogToSyslog is HFA42

Regards.

0 Kudos
Kosin_Usuwanthi
Collaborator
‎2018-01-31 08:23 PM
In response to KennyManrique

I tried rollback hotfix to #T42 and install lastest version for CPLogToSyslog but still not working.

Already open case to TAC but waiting to investigate with R&D team.

 

0 Kudos
DR_74
Collaborator
‎2018-01-31 03:02 PM

Hello,

Is there a way to modify the log content, with less fileds than we have now?

For example, I get this in my syslog server

01-31-2018    23:50:52    Lpr.Notice    10.88.9.1     Wed Jan 31 23:51:23  GW1 LOG GW1:  ContentVersion: 5; Uuid: {0x5a72486a,0x0,0x109580a,0xc0000001}; SequenceNum: 4; Flags: 16384; Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1; Alert: ; LogId: 0; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; OriginSicName: cn=cp_mgmt,o=gw_r80.domain.test.d73ncd; log_type: connection; is_first_for_luuid: 131072; hll_key: 9176802383052573599; inzone: Internal; outzone: External; service_id: domain-udp; src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; NAT_rulenum: 4; NAT_addtnl_rulenum: 1; protocol: DNS-UDP; sig_id: 4; context_num: 1; match_id: 7; match_table.match_id: 7(+)16777218; layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145; match_table.layer_uuid: 13060ad2-4fe9-48fd-8274-b7747470b145(+)fa8c5735-756d-4a7c-b16a-7a3b42fcf1ad; layer_name: Network; match_table.layer_name: Network(+)URL FILTER; rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627; match_table.rule_uid: cbccba7d-96a2-484e-86ec-a4d4ace29627(+)22d4d6e4-f19d-461b-92c8-1cec78604ea0; rule_name: ; match_table.rule_name: (+)Cleanup rule; rule_action: 2; match_table.rule_action: 2(+)2; parent_rule: 0; match_table.parent_rule: 0(+)0; aba_customer: SMC User; date: 31Jan2018; hour: 23:51:22; type: connection; Interface: < eth1; ProductName: VPN-1 & FireWall-1; svc: 53; sport_svc: 56208; xlatedport_svc: ; xlatesport_svc: 36370;

Is it possible to get that?

01-31-2018    23:50:52    Lpr.Notice    10.88.9.1     Wed Jan 31 23:51:23  GW1 LOG GW1:  Action: accept; Origin: 10.88.9.1; IfDir: >; InterfaceName: eth1;  src: 10.88.9.3; dst: 8.8.8.8; proto: 17; xlatesrc: 192.168.145.10; protocol: DNS-UDP;

Thank you

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-31 03:36 PM
In response to DR_74

I'm not aware of a way to modify the syslog output (but maybe I'm wrong). 

I believe this is planned for the LogOut project in any case.

0 Kudos
Tom_Cripps
Advisor
‎2018-02-01 01:24 AM
In response to DR_74

Hi Romain,

If you get tricky with the filtering you can reduce the results slightly. But not to that extent you wish for.

0 Kudos
Martin_Schagerl
Participant
‎2018-02-06 01:44 AM

hi @ll,

does this add some more significant load to the machines or is it safe to install?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top