This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ave_Joe
Collaborator
‎2020-01-06 06:35 PM

Device not logging notifications

Hello all.

Is there a way to setup a notification when a Checkpoint gateway device stops logging to it's designated central log server? 

I have seen cases where the gateway is operating normally but for one reason or another logs are not being successfully sent to the central log server.  It would be great if an alert could be generated when this occurs so the issue can be investigated and addressed asap.

Is there a way this could be done?

Currently I think the only way to determine if a gateway is logging to the central log server is through a manual audit.  No one wants to or should be expected to manually audit the log server to determine if the security logs from any of  the managed devices are being received or not.  Especially problematic in large environments 

Thoughts?

0 Kudos
2 Replies
Dilian_Chernev
Collaborator
‎2020-01-07 01:25 AM

Hi,
In the cases you don't receive logs, did you check if there is connection established on port 257 between GW and MGMT?

[Expert@gw:0]# netstat -anp | grep 257 | grep EST
tcp        0      0 192.168.XX.YY:51496          192.168.XX.ZZ:257            ESTABLISHED 5699/fwd

You can check the connection status with some 3-rd party monitoring tools and create alerts if its lost

0 Kudos
mdjmcnally
Advisor
‎2020-01-07 04:15 AM

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is about SNMP but there are SNMP OID that can query around the Logging Status.

Provided are

Log Server connectivity - Connectivity with Log Server(s):

  • 0 - OK
  • 1 - Warning
  • 2 - Error

Local logging status - Is Status of local logging:

  • 0 - logging to configured log server(s)
  • 1 - local logging is configured
  • 2 - local logging due to connectivity issues
  • 3 - local logging due to high rate

So should be able to query the OID and if isn't 0 for them then you have a Logging Issue.

SNMP system should be able to generate an alert for you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top