This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2023-06-05 07:45 PM
Jump to solution

Custom syslog port

Hello,

Can you please provide responses to the following syslog configuration related questions.

1. Is is possible to send syslog on a port other than the default UDP 514, possible by modifying configuration files /etc/syslog.conf or /etc/sysconfig/syslog? I have set up a remote syslog target which is listening on a different port.

2. Is it required to modify the fwsyslog_enable kernel parameter on each gateway to 1, to enable syslog. This is not specified in the r81.20 admin guide, however is it stated as a requirement in the r81.20 logging and monitoring admin guide.

Regards,

Simon

0 Kudos
1 Solution

Accepted Solutions
Simon_Macpherso
Advisor
‎2023-06-05 11:24 PM
In response to Simon_Macpherso
Jump to solution

Got an answer from TAC. There is no way to change the default so I've had to NAT the traffic. 

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2023-06-05 09:09 PM
Jump to solution

The answer to both questions is here: https://support.checkpoint.com/results/sk/sk87560
Looks like you can use a different port and you shouldn't use fwsyslog_enable unless TAC suggests it.

0 Kudos
Simon_Macpherso
Advisor
‎2023-06-05 09:44 PM
In response to PhoneBoy
Jump to solution

This is not what I'm after.

That SK outlines how to 'How to configure Security Gateway on Gaia OS to send FireWall logs to an external Syslog server'.

I'm already sending firewall logs from all gateways to remote log servers, and from there using log exporter to send in to Splunk.

I'm referring specifically to configuring syslog on individual gateways to send Gaia system messages and audit events only to a remote syslog server. And we want to send this to the remote server on a custom port. 

It's interesting that SK also states at the bottom of the document that the fwsyslog_enable parameters is "is intended for optimization of logging performance in environments that require high log rates.Do not enable this kernel parameter unless explicitly instructed by Check Point Support.", as there is no mention of that in the Logging and Monitoring R80.20 Administration Guide, > Logging > Working with Syslog Servers section. 

0 Kudos
Simon_Macpherso
Advisor
‎2023-06-05 11:24 PM
In response to Simon_Macpherso
Jump to solution

Got an answer from TAC. There is no way to change the default so I've had to NAT the traffic. 

PhoneBoy
Admin
Admin
‎2023-06-06 12:23 PM
In response to Simon_Macpherso
Jump to solution

Ah yes, that's a beast of a different color.
You might be able to make the relevant change in /etc/rsyslog.conf and make the file immutable so the OS doesn't overwrite it.
However, that falls into "unsupported" category.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events