This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nofar_a
Participant
‎2018-08-20 10:36 PM

export /var/log/audit/audit.log via syslog

Hi guys!

Any idea as to how to export /var/log/audit/audit.log from R77.30 GW?

Normally I would have done it with audispd, but it's missing from the GW.

Thanks!

Labels
6 Replies
Nofar_a
Participant
‎2018-08-21 05:07 AM

Hi Marco,

Thanks for the reply. 

However, I'm interested in exporting /var/log/audit.log and not /var/log/messages.

0 Kudos
Marco_Valenti
Advisor
‎2018-08-21 08:22 AM
In response to Nofar_a

I get it now , not an helpful reply from me Smiley Happy

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-21 11:08 AM

normally your audit log is only on management, so is this a self contained sGW? You can use log exporter, which will export both security logs and audit logs in syslog format.

Regards, Maarten
0 Kudos
Nofar_a
Participant
‎2018-08-22 09:06 PM
In response to Maarten_Sjouw

Hi Maarten,

I tried using Log exporter (SK122323), but still only able to send /var/log/messages Smiley Sad

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-23 07:26 AM
In response to Nofar_a

Please tell a bit more about the environment? On which machine are you running this log exporter?

Regards, Maarten
0 Kudos
Bob_Bent
Mod
Mod
‎2018-08-23 09:49 AM
In response to Maarten_Sjouw

To clarify, think the original question is asking about Linux auditing which I don't think is fully implemented in Gaia, or at least exposed or documented for the end user. See reference here; Suse Doc: Security Guide - Understanding Linux Audit. The facility is there as is the file /var/log/audit/audit.log.

Let's not confuse this with audit logs from the Check Point management server, for instance this network object was added, this security policy rule is changed, etc. and security logs from the gateways connected to the management server. These are included by default when you use Log Exporter.

Back to the original question if you want to receive auditd events via syslog, there are some configuration files in /etc/audit such as audit.rules and auditd.conf, but don't think we have plugins for sending these via syslog. Could be wrong. Would have to check with a Gaia expert if you need a definitive answer.

Device syslog logs can of course be set up using the Gaia web UI or the clish CLI.