This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AigarsK
Participant
‎2021-05-20 02:02 AM
Jump to solution

Syslog configuration on R80.40

Hi All,

I am having issues locating syslog configuration in Checkpoint R80.40. We have two gateways in cluster, Management and SmartEvent server.

Cluster is configured to send logs to Management server.

In infrastructure we have Ubuntu server which by all means is receiving Syslog messages from Management server.

I have checked configuration and cannot see any syslog servers configured, I changed under Logs section and nothing is configured there either.

I checked both SmartConsole and web management of appliances.

I do not appear to have cp_log_export present in clish nor in expert mode.

Could you please advise me, where and how syslog configuration is applied then?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-05-21 04:42 PM
In response to AigarsK
Jump to solution

For me, it's in: /opt/CPrt-R81/bin/cp_log_export
It's a shell script in particular, which I believe ultimately calls: /opt/CPrt-R81/log_exporter/log_exporter

Above is from R81, but the R80.40 path should be similar. 
It should also be in your $PATH in expert mode and there should be processes running if it's sending logs.

View solution in original post

0 Kudos
6 Replies
S_E_
Advisor
‎2021-05-20 05:36 AM
Jump to solution

Hi

do you mean syslog ?

In Gaia "show configuration syslog"

or cp_log in bash

"cp_log_export show"

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

or something else?

Regards

 

 

0 Kudos
AigarsK
Participant
‎2021-05-20 05:43 AM
In response to S_E_
Jump to solution

Thanks for the reply.

I checked these commands before, "show configuration syslog" does not list any remote servers to indicate that they have been forwarded. Command "cp_log_export show" in expert states "command not found".

My Ubuntu servers is receiving traffic on port UDP 514 and messages are of Security Policy rule hit logs.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-20 04:38 PM
Jump to solution

If you want traffic logs, you need to export from your management server (or log server of separate) using Log Exporter.
https://community.checkpoint.com/t5/Management/Log-Exporter-guide/m-p/9035

0 Kudos
AigarsK
Participant
‎2021-05-21 04:19 AM
In response to PhoneBoy
Jump to solution

Thanks PhoneBoy,

I did read that article already, Thing this is bugging me is that traffic logs already appear to be forwarding to my internal server but there is no sign of "cp_log_export" being present in expert mode of that management node.

So is possible that it was configured and the subsequently removed with it still running?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-21 04:42 PM
In response to AigarsK
Jump to solution

For me, it's in: /opt/CPrt-R81/bin/cp_log_export
It's a shell script in particular, which I believe ultimately calls: /opt/CPrt-R81/log_exporter/log_exporter

Above is from R81, but the R80.40 path should be similar. 
It should also be in your $PATH in expert mode and there should be processes running if it's sending logs.

0 Kudos
AigarsK
Participant
‎2021-05-24 12:33 AM
In response to PhoneBoy
Jump to solution

Thanks PhoneBoy,

I managed to locate the path you specified

Looks like the issue I was encountering was that I was signing on the CPM using my radius credentials and not local admin account. Since trying with admin I was able to execute "cp_log_exporter show" to see what has been configured.

 

Many Thanks All!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events