Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Log Exporter R80.40 error

I am looking to integrate my Checkpoint R80.40 GW Cluster to a syslog server via Log Exporter.

i configured Log exporter in the Mgmt Server as : 

cp_log_export add name SYSLOG target-server 1.92.168.1.29 target-port 514 protocol udp format syslog

i can see the process is up and running via cp_log_export show command.

 

i ran a tcpdump on mgmt server to check what logs are being forwarded and i am able to see proper logs in the output but at the syslog side i only see host name of firewall and an id i.e. FWLA- Mgmt CheckPoint[14498] and there is not log data beyond this..

 

**Sample output from tcpdump**

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.08.05 11:55:27 =~=~=~=~=~=~=~=~=~=~=~=
2021-08-05T11:53:57Z FWLA-Mgmt CheckPoint[14498]                                              tcpdump -nnei any host 192.168.1.29 -A -s 1500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 1500 bytes
11:56:01.075494 Out 02:46:ca:9f:c8:99 ethertype IPv4 (0x0800), length 614: 192.168.1.20.61205 > 192.168.1.29.514: SYSLOG local0.info, length: 570
E..VU.@.@...

......=..<134>1 2021-08-05T11:56:14Z FWLA-Mgmt CheckPoint 14498 - [action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x610bd1d1,0x8,0xf093a0a,0x1a2eb457}"; origin:"172.18.1.9"; originsicname:"CN=LA-DMZ-FW1,O=FW-Mgmt..z7o4t4"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={8A363A8F-77E2-B84C-9136-3E18DD761850};mgmt=FW-Mgmt;date=1628163987;policy_name=DMZ-FW-Policy\]"; dst:"172.18.1.9"; message_info:"Address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38030"; service:"443"; src:"192.241.215.94"]
................
11:56:01.075529 Out 02:46:ca:9f:c8:99 ethertype IPv4 (0x0800), length 609: 192.168.1.20.61205 > 192.168.1.29.514: SYSLOG local0.info, length: 565
E..QU.@.@...

Any help to resolve this is appreciated.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What you showed looks like a complete log line there.
What am I missing exactly?

Regardless, the remote end has to be able to parse the syslogs sent by log exporter.
If you're using rsyslog, you may need to make a configuration change on the server side as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
LostBoY
Advisor

the log line i showed is from the Mgmt Server and in the syslog server i see only  FWLA-Mgmt CheckPoint 14498..

there is no data after that. 

0 Kudos
PhoneBoy
Admin
Admin

If you can see the log details in the tcpdump being sent to the server (which is what it appears from what you pasted), then the problem is on the syslog server.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events