- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: System audit logs over syslog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
System audit logs over syslog
Hi
We are wanting to send the CLI audit logs of GW to log server on R81.10 (ie SSH login events / "set" commands etc). I have configured per the below commands and are receiving the logs. However the issue is searching / filtering the logs in smartview and also where they end up. I expected for one thing that they need to be viewed in "Audit Logs" tab in smartlog, however appear in the "Logs" view along with firewall traffic logs. With log retention etc we're wanting to keep these logs for a long period of time for compliance reasons but that doesn't appear will suit with going to Firewall log files so how can we get them to go into the Audit Logs (ie .adtlog) rather than fw.log files?
The second part which may tie in with this is searching the logs. I see certain things appear in blade:Syslog and others blade:"Linux OS". Either way there doesn't appear to be a columns profile for these and also doing a free text search eg route expecting to see "set static-route" commands don't appear. If I load the full log entry and click through each log I do see them but it's obviously tough and slow going through clicking on each entry one by one in full log view to view.
add syslog log-remote-address <MDM CMA IP> level info
set syslog cplogs on
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog filename /var/log/messages
- Labels:
-
Compliance
-
Logging
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is something else you need to change in the config to get this working, I just cant recall exactly what. Let me check Monday for you, as I may have the notes from few years back how to fix this.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it going into the log server object in smartconsole and put a tick in "Accept syslog messages" and install DB and mdsstop/mdsstart? Forgot to mention that we have done those as well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll have to create a syslog parser, most likely: https://support.checkpoint.com/results/sk/sk55020
Not sure there is way to get syslog into the audit logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh ok, did see that SK but thought that was only for smartevent etc to recognise third party logs not check point ones. Thought there would be some built-in parsing for things like "cmd by USERNAME: Processing : set static-route ROUTE nexthop gateway address GW off" and be able to search for that (or portions). I did copy off and try that log parser but found around 2,000 different patterns. I wonder if I do go through trying to work out how to map out the fields if doing a free text search would start working then?
Either way if would still go to "normal" log files rather than audit ones wouldn't be much benefit anyway since audit logs need to be kept for a long time and with the amount of traffic logs that probably isn't feasible to include it all for the period of time needing to keep audit ones. Especially since the audit logs would be quite small (probably less than 1MB/day) compared to the 10's GB/day would be tough to justify getting the huge amount of storage.
