Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkosBakos
Advisor
Advisor

syslog RFC 3164 (old) and RFC 5424 (new).

Hi CheckMates,

I read that, both syslog formats are supported ins R81.10

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_LoggingAndMonitoring_AdminGu...

How can I switch between syslog formats (RFC 3164 (old) and RFC 5424 (new)?

Br

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee

Is there a specific format / parsing issue or similar that you are trying to address?

Typically LogExporter is the most flexible approach per sk122323.

CCSM R77/R80/ELITE
0 Kudos
AkosBakos
Advisor
Advisor

Hi Chris,

Exactly, the receiver side reported that, they can't parse the new format. Therefore I would like to swich the format to the older one.

After I switched it I will be able to point out, the error is on the receiver side.

That is my motivation.

BR

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

You realize this method only gives you limited Firewall-only logs, correct? (Nothing for other blades)
Log Exporter would be a much better way to export logs and offers other formats to export the logs.

0 Kudos
AkosBakos
Advisor
Advisor

Hi PhoneBoy,

To clarify the situation. I use cp_clog_export for exporting the logs.

BR

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

I assume you mean cp_log_export, which is Log Exporter.
However, what you provided a link to is not relevant to Log Exporter, but to a feature that allows sending specific traffic logs as syslog from the gateway itself (not the management).
Use the "format" option in Log Exporter to determine the format to send to the remote syslog server, which supports:

  • generic
  • cef
  • json
  • leef
  • logrhythm
  • rsa
  • splunk
  • syslog

Parsing is the responsibility of the remote end. 

0 Kudos
AkosBakos
Advisor
Advisor

Hi PhoneBoy,

Yes, I meant Log Exporter.

In the format settings

Is the deafult syslog format  RFC 5424 format? If yes, can we change it somehow?

BR

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

I presume it is the default format, yes.
I don't believe you can change it.
What is the precise syslog server in use on the other end?
What is the precise CLI command you use to configure Log Exporter (or a screenshot of what's in SmartConsole)?

0 Kudos
AkosBakos
Advisor
Advisor

Hi Phoneboy,

The format part of the CLI command is "syslog"

The receiver syslog server's brand is Logness. It is an unique development. I do not hav the information, what is the base of this solution.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

You might try "generic" and see if that provides a better result.

AkosBakos
Advisor
Advisor

Hi,

Now it is much better than earlier was. Based on this, we asked the customer to contact the SIEM support to clarify this issue on the other side.

We can't change more things in log exporter.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events