This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lbcadenco10
Contributor
‎2020-02-14 01:34 PM

Gaia Embedded Syslog Severity

Anyone know how to change the syslog severity on Gaia Embedded appliances? I've seen sk92798 but this appears to only apply to Gaia appliances. I edited /etc/syslog.conf to only send warning and higher level logs to our remote syslog servers but "logger -p local4.info info2" and "tcpdump" shows informational level logs still being sent. I'm guessing syslogd needs to be restarted in order for the changes to go into effect, but "service syslog restart" is not a valid command in expert mode.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-02-14 07:08 PM

I believe if you kill the process it will restart on its own.
Or maybe do a kill -1 which may cause it to reread the config file.
Must caution you about editing config files directly as they can get overwritten on a reboot or upgrade.
lbcadenco10
Contributor
‎2020-02-17 02:36 PM
In response to PhoneBoy

Thanks, I'll give that a shot. Is there a better approach to modifying the syslog severity on SMB appliances?
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-18 01:19 AM
In response to lbcadenco10

There is no way - according to GAiA Embedded CLI, you can define external syslog servers by the command

# add syslog-server

and one parameter is

sent-logs Determine which logs types will be sent to the System Log Server

Options: system-logs, security-logs, system-and-security-logs

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
John_Fleming
Advisor
‎2020-02-18 12:30 PM
In response to lbcadenco10

### unsupported bla bla bla don't want to hear it ###

 

ok here is my advice on how to hack this to do what you want. No idea if this will work on all scenarios but there is a chance this will hold even during upgrades.

Come up with a custom rsyslog.conf file.

Store it in /pfrm2.0/etc

edit /pfrm2.0/etc/userScript (not created by default perms should be root:root 755)

have userScript file copy /pfrm2.0/etc/rsyslog.conf to /etc

#I'm saying do this because / (and thus /etc) is a rootfs which is basically a memory based filesystem.

have userScript restart rsyslogd. You'll have to find pid kill it and start it.

Now in theory it will get reinstalled on boot up.

Last step is edit /pfrm2.0/etc/additional_settings_file_list

and add /pfrm2.0/etc/rsyslog.conf. This *should* protect you from upgrades. 

 

edge cases this won't help with..

someone editing syslog settings via clish or webui. Most likely your settings will be lost until you rerun userScript commands or reboot. Possible other changes in clish/webui might trigger reloading build rsyslog.conf. 

 

0 Kudos
John_Fleming
Advisor
‎2020-02-18 12:40 PM
In response to John_Fleming

and if you want to get super hacky.. uh.

 

looks like /pfrm2.0/bin/logControlConfig is the script that generates the /etc/rsyslog.conf.

 

Would need to do the same thing i pointed out before.. edit userScript to do something with a master copy of this. This dir is mounted normally so should stick around unless an upgrade is done. Again adding ref to that additional file might address that but we're out in crazy town now. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events