Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DimiDB
Explorer

Log server unable to parse "syslog cplogs" from security gateway

Hello,

In order to centralize gateway system logs, I'm using the "set syslog cplogs on"-option to forward the local /var/log/messages from hundreds of gateways to our Check Point logging server.

Technically, this should allow us to do reporting, post-processing and filtering on these system logs.

It appears though not all syslogs are parsed correctly, resulting in valuable data falling back to the "default_device_message"-field.

This particular field is not usable in reports, hence no post-processing is possible.

Attached an example of an extract of 3 gateways.

I opened a ticket with Check Point TAC, though after months of discussing with R&D, they claimed it is "normal" a Check Point Log Server does not understand system logs sent by Check Point Gateways and recommend me to create a parser.

I was wondering if anyone in the community has created parsers like these in the past (sk55020) and if you would be so kind to share these.

Many thanks in advance!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Most of what comes from local syslog doesn't necessarily translate into a logging system designed for network traffic.
We do not do this by default, but we provide the ability to create a parser to do it to your specification.
I haven't seen too many people posting syslog parsers to the community.

0 Kudos
DimiDB
Explorer

/var/log/messages contains tons of useful firewall related messages.

Most vendors have some sort of central logging for these type of system messages in order to better manage these in large scale environments, which is what I'm trying to accomplish with Check Point as well.

0 Kudos
PhoneBoy
Admin
Admin

I don't disagree.
However, the product is operating as designed in this situation.
You can discuss your precise requirements with your local Check Point office so an RFE can be filed.
It's also possible Check Point Professional Services could create an appropriate parser to your specifications (at cost).

0 Kudos
DimiDB
Explorer

RFE 5KH6K4Jmn was launched somewhere in July and was forwarded to our local SE's.
Perhaps I'll take a shot at it when things calm down during the winter break, though Check Point should be paying me then to optimize their product 😉

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events