This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-08-05 07:38 AM

Log Exporter R80.40 error

I am looking to integrate my Checkpoint R80.40 GW Cluster to a syslog server via Log Exporter.

i configured Log exporter in the Mgmt Server as : 

cp_log_export add name SYSLOG target-server 1.92.168.1.29 target-port 514 protocol udp format syslog

i can see the process is up and running via cp_log_export show command.

 

i ran a tcpdump on mgmt server to check what logs are being forwarded and i am able to see proper logs in the output but at the syslog side i only see host name of firewall and an id i.e. FWLA- Mgmt CheckPoint[14498] and there is not log data beyond this..

 

**Sample output from tcpdump**

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.08.05 11:55:27 =~=~=~=~=~=~=~=~=~=~=~=
2021-08-05T11:53:57Z FWLA-Mgmt CheckPoint[14498]                                              tcpdump -nnei any host 192.168.1.29 -A -s 1500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 1500 bytes
11:56:01.075494 Out 02:46:ca:9f:c8:99 ethertype IPv4 (0x0800), length 614: 192.168.1.20.61205 > 192.168.1.29.514: SYSLOG local0.info, length: 570
E..VU.@.@...

......=..<134>1 2021-08-05T11:56:14Z FWLA-Mgmt CheckPoint 14498 - [action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x610bd1d1,0x8,0xf093a0a,0x1a2eb457}"; origin:"172.18.1.9"; originsicname:"CN=LA-DMZ-FW1,O=FW-Mgmt..z7o4t4"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={8A363A8F-77E2-B84C-9136-3E18DD761850};mgmt=FW-Mgmt;date=1628163987;policy_name=DMZ-FW-Policy\]"; dst:"172.18.1.9"; message_info:"Address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38030"; service:"443"; src:"192.241.215.94"]
................
11:56:01.075529 Out 02:46:ca:9f:c8:99 ethertype IPv4 (0x0800), length 609: 192.168.1.20.61205 > 192.168.1.29.514: SYSLOG local0.info, length: 565
E..QU.@.@...

Any help to resolve this is appreciated.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-08-08 06:22 PM

What you showed looks like a complete log line there.
What am I missing exactly?

Regardless, the remote end has to be able to parse the syslogs sent by log exporter.
If you're using rsyslog, you may need to make a configuration change on the server side as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
LostBoY
Advisor
‎2021-08-16 07:08 AM
In response to PhoneBoy

the log line i showed is from the Mgmt Server and in the syslog server i see only  FWLA-Mgmt CheckPoint 14498..

there is no data after that. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-16 04:06 PM
In response to LostBoY

If you can see the log details in the tcpdump being sent to the server (which is what it appears from what you pasted), then the problem is on the syslog server.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events