Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nofar_a
Participant

export /var/log/audit/audit.log via syslog

Hi guys!

Any idea as to how to export /var/log/audit/audit.log from R77.30 GW?

Normally I would have done it with audispd, but it's missing from the GW.

Thanks!

Labels (1)
6 Replies
Nofar_a
Participant

Hi Marco,

Thanks for the reply. 

However, I'm interested in exporting /var/log/audit.log and not /var/log/messages.

0 Kudos
Reply
Marco_Valenti
Advisor

I get it now , not an helpful reply from me Smiley Happy

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

normally your audit log is only on management, so is this a self contained sGW? You can use log exporter, which will export both security logs and audit logs in syslog format.

Regards, Maarten
0 Kudos
Reply
Nofar_a
Participant

Hi Maarten,

I tried using Log exporter (SK122323), but still only able to send /var/log/messages Smiley Sad

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

Please tell a bit more about the environment? On which machine are you running this log exporter?

Regards, Maarten
0 Kudos
Reply
Bob_Bent
Mod
Mod

To clarify, think the original question is asking about Linux auditing which I don't think is fully implemented in Gaia, or at least exposed or documented for the end user. See reference here; Suse Doc: Security Guide - Understanding Linux Audit. The facility is there as is the file /var/log/audit/audit.log.

Let's not confuse this with audit logs from the Check Point management server, for instance this network object was added, this security policy rule is changed, etc. and security logs from the gateways connected to the management server. These are included by default when you use Log Exporter.

Back to the original question if you want to receive auditd events via syslog, there are some configuration files in /etc/audit such as audit.rules and auditd.conf, but don't think we have plugins for sending these via syslog. Could be wrong. Would have to check with a Gaia expert if you need a definitive answer.

Device syslog logs can of course be set up using the Gaia web UI or the clish CLI.