This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Logger
Explorer
‎2020-10-21 11:41 PM
Jump to solution

Check Point MDS / Gateway Logs

Hello

I'm trying to onboard Check Point logs at the moment and could need some help.

The goal is to send all Logs to a Syslog server and then bring them into a log pipeline.

As I understand Check Point has two log sources: traffic and security logs are exported from the MDS log server with "cp_log_export" and the audit logs and device logs from the gateways are configured with the clish syslog commands. Is that correct?

Now I face these problems:

Is there a way to send gateway (GAIA) logs via TCP or even syslog over TLS?

Can you export the "cp_log_export" via syslog but still use the Splunk app?

Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?

Thanks a lot for the help.

Cheers

0 Kudos
1 Solution

Accepted Solutions
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-10-22 12:04 AM
Jump to solution

Yes to most questions & please read the log-Exporter sk (sk122323), as Val suggested.


to answer your last question:
"Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?"

Not exactly, an HA/Backup like system for log-exporting (cp_log_export) is not currently available. You can simply send simultaneously to 2 different syslog servers = duplication.
BUT assuming you have 2 different log-servers when one is a backup Log-Server for 1 GW (you can configure that), then you can configure both to export to same syslog server.
and only once the backup LS starts actually logging (once Primary Log-Server is down for any reason), it'll actually export these logs.
that is a sort-of backup active/passive log-exporter, but it depends on the base Log-Server receiving the logs.

Hope that helped.

View solution in original post

2 Replies
_Val_
Admin
Admin
‎2020-10-21 11:54 PM
Jump to solution

Please read sk122323, you should have all the answers there

0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-10-22 12:04 AM
Jump to solution

Yes to most questions & please read the log-Exporter sk (sk122323), as Val suggested.


to answer your last question:
"Can you configure multiple syslog servers in active / passive mode. That you don't have duplicated logs but the logs get sent when one syslog server fails?"

Not exactly, an HA/Backup like system for log-exporting (cp_log_export) is not currently available. You can simply send simultaneously to 2 different syslog servers = duplication.
BUT assuming you have 2 different log-servers when one is a backup Log-Server for 1 GW (you can configure that), then you can configure both to export to same syslog server.
and only once the backup LS starts actually logging (once Primary Log-Server is down for any reason), it'll actually export these logs.
that is a sort-of backup active/passive log-exporter, but it depends on the base Log-Server receiving the logs.

Hope that helped.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events