This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Burak_Ozgen
Participant
‎2017-10-01 11:55 PM

Firewall log format

Hi, i know it will be little deep but why syslog logs separated with "\" while LEA logs separated with ";" ? Is there a option to change log format? Log samples;

LEA,

"loc=2302|filename=fw.log|fileid=1506445139|time=26Sep2017 20:18:31|action=accept|orig=10.10.10.254|orig_name=firewall|i/f_dir=inbound|has_accounting=0|product=FG|src=10.10.10.131|s_port=50039|dst=195.244.32.152|service=80|service_name=http|proto=tcp|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={6CACC116-CA9B-0C40-8058-68405ABF999A};mgmt=fi

rewall;date=1503862935;policy_name=defaultfilter]|origin_sic_name=cn=cp_mgmt,o=firewall.sdfdsfasd.itv9jz","id":"44eb1002a34f11e797330050568269ea","time":1506516252,"hash":"5374aa13"}

Syslog,

Sep 28 22:56:48+03:00 192.168.105.1 Action=\"update\" UUid=\"{0x34cd2400,0x0,0x151a8c0,0x817}\" client_name=\"Active Directory Query\" client_version=\"R77\" domain_name=\"dblakdsba\" src=\"10.10.9.11\" endpoint_ip=\"10.10.9.11\" auth_status=\"Successful Login\" identity_src=\"AD Query\" snid=\"53eb3bc8\" src_machine_name=\"lkshdbaksdba\" src_machine_group=\"All Machines\" auth_method=\"Machine Authentication (Active Directory)\" identity_type=\"machine\" Authentication trial=\"this is a reauthentication for session 53eb3bc8\" product=\"Identity Awareness\

Waiting for your helps, Thank You.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2017-10-02 09:46 PM

In LEA it looks like the delimiter is | after each name/value pair.

In syslog, it looks like there are name/value pairs followed by spaces.

The quote characters are escaped for some reason (that's what the backslash is).


As far as I know there is no way to change this currently. 

Burak_Ozgen
Participant
‎2017-10-02 11:18 PM
In response to PhoneBoy

Thank you for the reply, i've noticed now that the backslash is escape character.

It seems like checkpoint have two difference log format for syslog. One is the old one that is used in old products like Security Appliances 1100, 1400 and the other one is used in new products like Security Appliances 4800. I've shared two difference log formats in below, u can see the main differences. I have one more question. Why the checkpoint first sends its log to mgmt server then the syslog server? What is the difference between to sending logs directly to syslog server and sending logs to a mgmt server? 

Security Appliances 1100;

"Oct 02 16:37:53+03:00 192.168.109.1Action=\"update\"UUid=\"{0x23d24411,0x1,0x151da8c0,0x3987}\" client_name=\"Active Directory Query\" client_version=\"R77\" domain_name=\"dgsdfsda\" src=\"10.10.10.215\" endpoint_ip=\"10.10.10.215\" auth_status=\"Successful Login\" identity_src=\"AD Query\" snid=\"3453de9c\" src_machine_name=\"safafsdb\" src_machine_group=\"All Machines\" auth_method=\"Machine Authentication (Active Directory)\" identity_type=\"machine\" Authentication trial=\"this is a reauthentication for session 3311de9c\" product=\"Identity Awareness\""

Security Appliances 4800;

"Firewall: 20Apr2017 11:12:10 1     drop xxx.175.53.58 >eth1-03   LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; inzone: Internal; outzone: External; rule: 63; rule_uid: {F9310C1C-516F-4C3D-86F4-4DF807F20321}; service_id: tcp-high-ports; src: 10.81.29.153; dst: xxx.220.223.28; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: tcp-high-ports; sport_svc: optika-emedia; ProductFamily: Network;"

Best regards,

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-03 08:25 AM
In response to Burak_Ozgen

The 1100 and 1400 products are SMB products, which use a slightly different codebase.

The fact the quotes are escaped looks like a bug and it's probably worth a support ticket.

Contact Support | Check Point Software 

Check Point has always employed centralized management and logging.

syslog support for Security logs is a relatively recent addition, particularly from gateways themselves.

In environments where you have tens or hundreds of gateways, it may make more sense for the gateways themselves to send syslogs.

In smaller environments, it's largely a matter of preference.

Note that in general there are plans to improve our syslog support in the coming months.