This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DimiDB
Explorer
‎2023-12-18 12:08 AM

Log server unable to parse "syslog cplogs" from security gateway

Hello,

In order to centralize gateway system logs, I'm using the "set syslog cplogs on"-option to forward the local /var/log/messages from hundreds of gateways to our Check Point logging server.

Technically, this should allow us to do reporting, post-processing and filtering on these system logs.

It appears though not all syslogs are parsed correctly, resulting in valuable data falling back to the "default_device_message"-field.

This particular field is not usable in reports, hence no post-processing is possible.

Attached an example of an extract of 3 gateways.

I opened a ticket with Check Point TAC, though after months of discussing with R&D, they claimed it is "normal" a Check Point Log Server does not understand system logs sent by Check Point Gateways and recommend me to create a parser.

I was wondering if anyone in the community has created parsers like these in the past (sk55020) and if you would be so kind to share these.

Many thanks in advance!

Preview file
59 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-12-18 05:06 PM

Most of what comes from local syslog doesn't necessarily translate into a logging system designed for network traffic.
We do not do this by default, but we provide the ability to create a parser to do it to your specification.
I haven't seen too many people posting syslog parsers to the community.

0 Kudos
DimiDB
Explorer
‎2023-12-19 02:17 AM
In response to PhoneBoy

/var/log/messages contains tons of useful firewall related messages.

Most vendors have some sort of central logging for these type of system messages in order to better manage these in large scale environments, which is what I'm trying to accomplish with Check Point as well.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-19 10:59 AM
In response to DimiDB

I don't disagree.
However, the product is operating as designed in this situation.
You can discuss your precise requirements with your local Check Point office so an RFE can be filed.
It's also possible Check Point Professional Services could create an appropriate parser to your specifications (at cost).

0 Kudos
DimiDB
Explorer
‎2023-12-20 12:20 AM
In response to PhoneBoy

RFE 5KH6K4Jmn was launched somewhere in July and was forwarded to our local SE's.
Perhaps I'll take a shot at it when things calm down during the winter break, though Check Point should be paying me then to optimize their product 😉

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events