Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Network_Engine2
Participant

R80.10 API logs

Hi,

So we've been exporting our gateway *audit logs* regularly in 77.30 to splunk, and now we upgraded to 80.10.

With the new API, we are wondering if it's possible to export the logs of the API.

Let's say for example, if someone ran a "show group" command from the management server, it's log would be exported and seen on splunk.

Is it possible? 

 

0 Kudos
6 Replies
Nick_Doropoulos
Advisor

Have you tried the Log Exporter for that purpose (sk122323)?

You would need to install the Check_Point_R80.10_Log_Exporter_T50_sk122323_FULL.tgz package first as far as I can see and then I would refer you to the most relevant section for you:

Splunk

It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

For more information about installation and deployment, please see the Check Point App for Splunk User Guide.

In addition, in order to configure an encrypted connection, do the following:

1. Generate server pem file:
    cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

2. Update the inputs.conf file on the Splunk server
    vi /opt/splunk/etc/apps/search/local/inputs.conf

    [SSL]
    serverCert = /etc/ssl/my-certs/splunk.pem
    sslPassword = <challenge password>
    requireClientCert = true

    [tcp-ssl://<port>]
    index = <index>

3. Update the server.conf file on the Splunk server
    vi /opt/splunk/etc/system/local/server.conf

    [sslConfig]
    sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

4. Restart Splunk
    /opt/splunk/bin/splunk restart

 

I hope this helps.

PhoneBoy
Admin
Admin

All API sessions appear in the audit logs, which should get exported to Splunk via Log Exporter or LEA.
Network_Engine2
Participant

Hi, i am using log exporter but the only logs it exports are clish logs or ssh connections, but not the linux expert commands. is there any other configuration i need to make?

PhoneBoy
Admin
Admin

First of all, expert commands aren't logged at all by default, but clish commands are.
Log Exporter does not get the OS logs, but you can configure Gaia to send them via syslog in the WebUI or clish (can't remember the command offhand).
0 Kudos
Network_Engine2
Participant

ok, what about API commands through the expert, are they logged? it seems odd to me that you can't see what was searched with api...

PhoneBoy
Admin
Admin

mgmt_cli commands are API calls, just with a specific client.
You can see what calls are made via $FWDIR/log/api.elg.