Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DeletedUser
Not applicable
Jump to solution

Sending Check Point security logs to 3rd party devices via syslog

Hi,

Is this available in R80, i.e. sending Check Point security logs to 3rd party devices via syslog from the management server? This utility was previously available as a hotfix called CPLogtoSyslog?

thx,

bob

1 Solution

Accepted Solutions
Dan_Zada
Employee Alumnus
Employee Alumnus

CPLogToSyslog for R80.10 is now available.

Check sk115392 for more information

View solution in original post

0 Kudos
13 Replies
Yuval__Dotan
Employee Alumnus
Employee Alumnus

It is currently being developed and should be available soon

Mike_Barkett
Explorer

Hi Bob and Yuval!

Will it be available only from management, or also from the gateway, a la R77.30 LTE add-on (sk87560)?

In R80.x will it be an add-on or native?

Thanks.

-MAB

0 Kudos
Yuval__Dotan
Employee Alumnus
Employee Alumnus

sk87560 is not merged into R80. will probably be merged to R80.10

0 Kudos
Rajeev_Gupta
Employee
Employee

Hi Yuval,

Could you please confirm if the feature to send Check Point logs from management via syslog is still on R80.10 roadmap? If not, is CPLogtoSyslog hotfix ported to R80 management?

Thanks,

Rajeev

DeletedUser
Not applicable

Hi,

As Yuval says R80 on the gateway will be supported in a later release. You can still receive Check Point events via syslog from R77.30 gateways, but you may want to get them from the management server via syslog for a couple of reasons.

  • Check Point security events may consist of more than one fragment. The management server unifies these fragments while the gateway does not.
  • Some events may contain confidential fields. The management server applies permissions to view this data while the gateway events may be obfuscated with "***Confidential***".

hth,

bob

Carlos_Molina
Participant

Hello Bob.

You mention that GW cannot send some fields in clear text...because it cannot apply permisisions to view this data???.

I have tested in R77.30 that using supported solution (syslog from GW), I get ***CONFIDENTIAL*** in my syslog server.

But I have checked that GW really knows that information because if I send those same logs executing # fw log -ftnl | logger -p local4.info I get all fields correctly. For example:

Feb  3 08:39:26 192.168.146.148 logger:  3Feb2017 14:39:25 block  192.168.80.253 <eth1 src:192.168.80.100;dst:193.110.128.109;proto:tcp;appi_name:marca.com;app_id:2779471769;matched_category:Sports;app_properties:Sports,URL Filtering;app_risk:0;app_rule_id:{8EC55CFD-CB67-4B15-B6A5-9AA3BF6A39B9};app_rule_name:Block Child Abuse sites;web_client_type:Firefox;web_server_type:Other: nginx/1.9.9;resource:http://www.marca.com/;proxy_src_ip:192.168.80.100;product:URL Filtering;service:http;s_port:50070;product_family:Network

So I understand there must be a way to send those logs vía syslog without ***

What do you think?

Thanks in advance.

DeletedUser
Not applicable

Hi,

Yes, the gateway has the information, but it's obfuscated when you get the information directly from the gateway. TTBOMK there isn't a gateway to syslog option available where you can get the events via syslog without obfuscation. That is unless you  do something like sk33423 to redirect fw log like this.

fw log -f -t -n -l  2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

Not a great solution IMHO. There is a hotfix called CPLogToSyslog which you can install on your management server. This may be a better option for you.

hth,

bob

0 Kudos
Quinn_Yost
Contributor

Sending the syslog messages into the firewall logs certainly works. This can be enabled from WebUI with the following setting.

My one concern here is that the syslog messages are sent to the traffic log.  Given the sensitive nature of some of the logs generated, and depending an organization's segregation of roles, it might be better if the syslog messages were pushed to the audit log instead.

0 Kudos
Mike_Swaminatha
Employee Alumnus
Employee Alumnus

Hi All

Is this feature of R80 management server sending logs to syslog port is available in R80 version or it is in roadmap for R80.10 ?

regards

Mike

0 Kudos
Timothy_Hall
Legend Legend
Legend

The ability to send firewall logs via syslog directly is available in R77.30, but you have to install the R77.30 management add-on to get the capability (see sk87560).

However I don't see the ability to add a Syslog server in the R80.10 EA, so I'm not sure if this capability will be present with R80.10 or not, it may have just been put somewhere else in the SmartConsole where I'm not seeing it.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Mike_Swaminatha
Employee Alumnus
Employee Alumnus

For educational: -

One of my partner configured Syslog log forwarding on R80 Management successfully. 

Please go through the below link and refer section 3 for detailed configuration: -

http://qostechnology.in/blog/syslog-integration-with-checkpoint/

regards

Mike

0 Kudos
Eyal_Rashelbach
Employee
Employee

All,


CPLogToSyslog for R80 is available - were working on updated SK

Please contact our support

BR,

Eyal

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus

CPLogToSyslog for R80.10 is now available.

Check sk115392 for more information

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events