Hello,
In order to centralize gateway system logs, I'm using the "set syslog cplogs on"-option to forward the local /var/log/messages from hundreds of gateways to our Check Point logging server.
Technically, this should allow us to do reporting, post-processing and filtering on these system logs.
It appears though not all syslogs are parsed correctly, resulting in valuable data falling back to the "default_device_message"-field.
This particular field is not usable in reports, hence no post-processing is possible.
Attached an example of an extract of 3 gateways.
I opened a ticket with Check Point TAC, though after months of discussing with R&D, they claimed it is "normal" a Check Point Log Server does not understand system logs sent by Check Point Gateways and recommend me to create a parser.
I was wondering if anyone in the community has created parsers like these in the past (sk55020) and if you would be so kind to share these.
Many thanks in advance!