Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Quentin_Antrim
Participant

CheckPoint syslog export and forwarding

We are using a third-party MDR to forward Check Point logs to their sensor for the MDR's evaluation.   However, they are indicating that they are not receiving the logs in a syslog readable format.  

I am using the log exporter on our logging server/SMS to send the logs to their sensors in a Syslog format.  There is no question about the configuration.  However, they claim they are not formatted correctly for them to read as Syslog and say that the problem must be on my side.  In addition, they also say they would prefer to have the logs come from each Check Point enforcement point directly rather than an export from the central SMS because everything appears to source from the IP of the SMS rather than the enforcement point's IP.

1)  As I have log exporter configured correctly to point to them to deliver the logs as syslog, is there any other due diligence that I could do on my end that could shed some light on this?  Anybody experience anything similar?

2)  I'd like to try sending syslog directly from a single enforcement point just to see what happens.  However, when I look at how that is done in CheckPoint documentation, it appears, if I understand it correctly, to be a a way to send to a syslog server instead of to the SMS.   I'd like to have it send syslog to a syslog server IN ADDITION TO the SMS.   Am I misunderstanding this, and does anybody have a way of sending additional syslog from the enforcement point to a secondary syslog server?

Thanks.

Quentin

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

There are actually several formats supported by Log Exporter.
Many of them are SIEM specific, but standard rsyslog and ng-syslog are both supported targets.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

If you send syslog from a gateway, you will only get firewall logs (no logs for App Control, URL Filtering, or Threat Prevention blades).
The only way to get complete log data is to have data sent from the management.
While it is supported to send syslogs from the gateway, it's generally not recommended for that reason.

0 Kudos
Quentin_Antrim
Participant

Thanks.  

In terms of rsyslog and ng-syslog, I see that your documentation link mentions support of them, but doesn't seem to be anything more.  Under the Format in the Log Expoter configuration, Syslog is the only syslog option, so does that include, in theory, rsyslog and ng-syslog?  I do see that it appears that an rsyslog server needs to adjust how it handles the timestamp, but that's about it.   

0 Kudos
PhoneBoy
Admin
Admin

I am not familiar with the precise differences between rsyslog and ng-syslog, but I would assume they are similar enough that the supported "Formatting" configuration applies to both of them.
Ultimately it is the responsibility of the syslog server to properly interpret what is sent.

What precise syslog server is being used in your environment?
What precise "parsing" errors are being reported?

0 Kudos