This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DeletedUser
Not applicable
‎2016-03-07 08:54 AM
Jump to solution

Sending Check Point security logs to 3rd party devices via syslog

Hi,

Is this available in R80, i.e. sending Check Point security logs to 3rd party devices via syslog from the management server? This utility was previously available as a hotfix called CPLogtoSyslog?

thx,

bob

1 Solution

Accepted Solutions
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2017-08-13 11:07 AM
In response to Eyal_Rashelbach
Jump to solution

CPLogToSyslog for R80.10 is now available.

Check sk115392 for more information

View solution in original post

0 Kudos
13 Replies
Yuval__Dotan
Employee Alumnus
Employee Alumnus
‎2016-03-08 12:46 AM
Jump to solution

It is currently being developed and should be available soon

Mike_Barkett
Explorer
‎2016-03-08 12:36 PM
Jump to solution

Hi Bob and Yuval!

Will it be available only from management, or also from the gateway, a la R77.30 LTE add-on (sk87560)?

In R80.x will it be an add-on or native?

Thanks.

-MAB

0 Kudos
Yuval__Dotan
Employee Alumnus
Employee Alumnus
‎2016-03-09 12:54 AM
In response to Mike_Barkett
Jump to solution

sk87560 is not merged into R80. will probably be merged to R80.10

0 Kudos
Rajeev_Gupta
Employee
Employee
‎2016-04-19 05:36 AM
In response to Yuval__Dotan
Jump to solution

Hi Yuval,

Could you please confirm if the feature to send Check Point logs from management via syslog is still on R80.10 roadmap? If not, is CPLogtoSyslog hotfix ported to R80 management?

Thanks,

Rajeev

DeletedUser
Not applicable
‎2016-03-09 08:55 AM
Jump to solution

Hi,

As Yuval says R80 on the gateway will be supported in a later release. You can still receive Check Point events via syslog from R77.30 gateways, but you may want to get them from the management server via syslog for a couple of reasons.

  • Check Point security events may consist of more than one fragment. The management server unifies these fragments while the gateway does not.
  • Some events may contain confidential fields. The management server applies permissions to view this data while the gateway events may be obfuscated with "***Confidential***".

hth,

bob

Carlos_Molina
Participant
‎2017-02-03 05:42 AM
In response to DeletedUser
Jump to solution

Hello Bob.

You mention that GW cannot send some fields in clear text...because it cannot apply permisisions to view this data???.

I have tested in R77.30 that using supported solution (syslog from GW), I get ***CONFIDENTIAL*** in my syslog server.

But I have checked that GW really knows that information because if I send those same logs executing # fw log -ftnl | logger -p local4.info I get all fields correctly. For example:

Feb  3 08:39:26 192.168.146.148 logger:  3Feb2017 14:39:25 block  192.168.80.253 <eth1 src:192.168.80.100;dst:193.110.128.109;proto:tcp;appi_name:marca.com;app_id:2779471769;matched_category:Sports;app_properties:Sports,URL Filtering;app_risk:0;app_rule_id:{8EC55CFD-CB67-4B15-B6A5-9AA3BF6A39B9};app_rule_name:Block Child Abuse sites;web_client_type:Firefox;web_server_type:Other: nginx/1.9.9;resource:http://www.marca.com/;proxy_src_ip:192.168.80.100;product:URL Filtering;service:http;s_port:50070;product_family:Network

So I understand there must be a way to send those logs vía syslog without ***

What do you think?

Thanks in advance.

DeletedUser
Not applicable
‎2017-02-06 09:09 AM
In response to Carlos_Molina
Jump to solution

Hi,

Yes, the gateway has the information, but it's obfuscated when you get the information directly from the gateway. TTBOMK there isn't a gateway to syslog option available where you can get the events via syslog without obfuscation. That is unless you  do something like sk33423 to redirect fw log like this.

fw log -f -t -n -l  2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

Not a great solution IMHO. There is a hotfix called CPLogToSyslog which you can install on your management server. This may be a better option for you.

hth,

bob

0 Kudos
Quinn_Yost
Contributor
‎2016-09-13 06:41 AM
Jump to solution

Sending the syslog messages into the firewall logs certainly works. This can be enabled from WebUI with the following setting.

My one concern here is that the syslog messages are sent to the traffic log.  Given the sensitive nature of some of the logs generated, and depending an organization's segregation of roles, it might be better if the syslog messages were pushed to the audit log instead.

0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus
‎2017-02-01 04:06 AM
Jump to solution

Hi All

Is this feature of R80 management server sending logs to syslog port is available in R80 version or it is in roadmap for R80.10 ?

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-02-01 07:25 AM
In response to Mike_Swaminatha
Jump to solution

The ability to send firewall logs via syslog directly is available in R77.30, but you have to install the R77.30 management add-on to get the capability (see sk87560).

However I don't see the ability to add a Syslog server in the R80.10 EA, so I'm not sure if this capability will be present with R80.10 or not, it may have just been put somewhere else in the SmartConsole where I'm not seeing it.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Mike_Swaminatha
Employee Alumnus
Employee Alumnus
‎2017-02-02 10:42 PM
Jump to solution

For educational: -

One of my partner configured Syslog log forwarding on R80 Management successfully. 

Please go through the below link and refer section 3 for detailed configuration: -

http://qostechnology.in/blog/syslog-integration-with-checkpoint/

regards

Mike

0 Kudos
Eyal_Rashelbach
Employee
Employee
‎2017-04-23 04:12 AM
Jump to solution

All,


CPLogToSyslog for R80 is available - were working on updated SK

Please contact our support

BR,

Eyal

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2017-08-13 11:07 AM
In response to Eyal_Rashelbach
Jump to solution

CPLogToSyslog for R80.10 is now available.

Check sk115392 for more information

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events