This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Quentin_Antrim
Participant
‎2022-06-27 02:09 PM

CheckPoint syslog export and forwarding

We are using a third-party MDR to forward Check Point logs to their sensor for the MDR's evaluation.   However, they are indicating that they are not receiving the logs in a syslog readable format.  

I am using the log exporter on our logging server/SMS to send the logs to their sensors in a Syslog format.  There is no question about the configuration.  However, they claim they are not formatted correctly for them to read as Syslog and say that the problem must be on my side.  In addition, they also say they would prefer to have the logs come from each Check Point enforcement point directly rather than an export from the central SMS because everything appears to source from the IP of the SMS rather than the enforcement point's IP.

1)  As I have log exporter configured correctly to point to them to deliver the logs as syslog, is there any other due diligence that I could do on my end that could shed some light on this?  Anybody experience anything similar?

2)  I'd like to try sending syslog directly from a single enforcement point just to see what happens.  However, when I look at how that is done in CheckPoint documentation, it appears, if I understand it correctly, to be a a way to send to a syslog server instead of to the SMS.   I'd like to have it send syslog to a syslog server IN ADDITION TO the SMS.   Am I misunderstanding this, and does anybody have a way of sending additional syslog from the enforcement point to a secondary syslog server?

Thanks.

Quentin

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-06-27 04:59 PM

There are actually several formats supported by Log Exporter.
Many of them are SIEM specific, but standard rsyslog and ng-syslog are both supported targets.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

If you send syslog from a gateway, you will only get firewall logs (no logs for App Control, URL Filtering, or Threat Prevention blades).
The only way to get complete log data is to have data sent from the management.
While it is supported to send syslogs from the gateway, it's generally not recommended for that reason.

(1)
Quentin_Antrim
Participant
‎2022-06-28 08:33 AM
In response to PhoneBoy

Thanks.  

In terms of rsyslog and ng-syslog, I see that your documentation link mentions support of them, but doesn't seem to be anything more.  Under the Format in the Log Expoter configuration, Syslog is the only syslog option, so does that include, in theory, rsyslog and ng-syslog?  I do see that it appears that an rsyslog server needs to adjust how it handles the timestamp, but that's about it.   

0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-28 10:28 AM
In response to Quentin_Antrim

I am not familiar with the precise differences between rsyslog and ng-syslog, but I would assume they are similar enough that the supported "Formatting" configuration applies to both of them.
Ultimately it is the responsibility of the syslog server to properly interpret what is sent.

What precise syslog server is being used in your environment?
What precise "parsing" errors are being reported?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events