This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2024-02-09 10:47 PM

System audit logs over syslog

Hi

We are wanting to send the CLI audit logs of GW to log server on R81.10 (ie SSH login events / "set" commands etc).  I have configured per the below commands and are receiving the logs.  However the issue is searching / filtering the logs in smartview and also where they end up.  I expected for one thing that they need to be viewed in "Audit Logs" tab in smartlog, however appear in the "Logs" view along with firewall traffic logs.  With log retention etc we're wanting to keep these logs for a long period of time for compliance reasons but that doesn't appear will suit with going to Firewall log files so how can we get them to go into the Audit Logs (ie .adtlog) rather than fw.log files?

 

The second part which may tie in with this is searching the logs.  I see certain things appear in blade:Syslog and others blade:"Linux OS".  Either way there doesn't appear to be a columns profile for these and also doing a free text search eg route expecting to see "set static-route" commands don't appear.  If I load the full log entry and click through each log I do see them but it's obviously tough and slow going through clicking on each entry one by one in full log view to view.

 

add syslog log-remote-address <MDM CMA IP> level info
set syslog cplogs on
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog filename /var/log/messages

Labels
0 Kudos
4 Replies
the_rock
Legend
Legend
‎2024-02-10 12:51 PM

There is something else you need to change in the config to get this working, I just cant recall exactly what. Let me check Monday for you, as I may have the notes from few years back how to fix this.

Best,

Andy

0 Kudos
cem82
Contributor
‎2024-02-10 02:40 PM
In response to the_rock

Is it going into the log server object in smartconsole and put a tick in "Accept syslog messages" and install DB and mdsstop/mdsstart?  Forgot to mention that we have done those as well

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-13 07:29 AM

You'll have to create a syslog parser, most likely: https://support.checkpoint.com/results/sk/sk55020 
Not sure there is way to get syslog into the audit logs.

0 Kudos
cem82
Contributor
‎2024-02-13 07:42 PM
In response to PhoneBoy

Ahh ok, did see that SK but thought that was only for smartevent etc to recognise third party logs not check point ones.  Thought there would be some built-in parsing for things like "cmd by USERNAME: Processing : set static-route ROUTE nexthop gateway address GW off" and be able to search for that (or portions).  I did copy off and try that log parser but found around 2,000 different patterns.  I wonder if I do go through trying to work out how to map out the fields if doing a free text search would start working then? 

 

Either way if would still go to "normal" log files rather than audit ones wouldn't be much benefit anyway since audit logs need to be kept for a long time and with the amount of traffic logs that probably isn't feasible to include it all for the period of time needing to keep audit ones.  Especially since the audit logs would be quite small (probably less than 1MB/day) compared to the 10's GB/day would be tough to justify getting the huge amount of storage.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events