This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herschel_Liang
Collaborator
‎2018-11-15 09:03 PM

How to set syslog severity grade log send to syslog server

Hi all,

As the title, I have set as sk92798

add syslog log-remote-address 172.22.112.119 level emerg
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog uncompressmessages off

[Expert@demoCP:0]# clock
Fri Nov 16 13:00:42 2018 -0.152526 seconds
[Expert@demoCP:0]# cat /etc/syslog.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/syslog_xlate on Fri Nov 16 12:00:40 2018
#
# DO NOT EDIT
#
auth.* /var/log/auth
mail.* -/var/log/maillog
cron.* -/var/log/cron
*.info;local5.emerg;local0.notice;authpriv.emerg;cron.emerg;mail.emerg /var/log/messages


#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages
#*.info;local5.none;local0.notice;authpriv.none;cron.none;mail.none /var/log/messages

#*.debug;local5.debug;local0.debug;authpriv.debug;cron.debug;mail.debug /var/log/messages

#*.info;local5.info;local0.info;authpriv.info;cron.info;mail.info /var/log/messages

#*.notice;local5.notice;local0.notice;authpriv.notice;cron.notice;mail.notice /var/log/messages
*.emerg *
*.emerg @172.22.112.119
local7.* /var/log/boot.log
authpriv.* /var/log/secure
uucp.crit;news.crit /var/log/spooler
[Expert@demoCP:0]# clock
Fri Nov 16 13:01:06 2018 -0.164737 seconds

but I can see notice syslog send to syslog server. What is wrong with it ? 

Preview file
196 KB
8 Replies
PhoneBoy
Admin
Admin
‎2018-11-16 11:28 AM

Has syslog restarted since this configuration took place?

I believe syslogd should automatically restart anytime you change the configuration, but it's helpful to double-check.

0 Kudos
Herschel_Liang
Collaborator
‎2018-11-16 04:02 PM
In response to PhoneBoy

Off course, service restart but it didn't seem useful. Meanwhile, I found if I annotating all code in /etc/syslog.conf. CP will send notice logs to Syslog server. I had config as sk87560 and sk92798. So, any step can exclude traffic logs? The client just wants to save simple and indicate clear log.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-16 04:14 PM
In response to Herschel_Liang

"If I annotating all code in /etc/syslog.conf" what does this mean?

What do you mean "traffic logs"? 

If you're talking about stuff that would normally appear in Logs/Reporting or SmartView, this stuff does not go to syslog unless you're running Log Exporter or similar and even then, it shouldn't go to the system syslog (unless you've configured it to).

0 Kudos
Herschel_Liang
Collaborator
‎2018-11-16 04:41 PM
In response to PhoneBoy

"If I annotating all code in /etc/syslog.conf" what does this mean?

/etc/syslog.conf is syslog cofig file. I think it should do not override any logs to dedicate file. So, I think it should other CP software component send logs to Syslog server. I had check linux syslog config, config  /etc/syslog.conf to control syslog. Pls confirm any errors to Implementation requirement used sk87560 and sk92798. Or anything else mistakes. 

What do you mean "traffic logs"? 

Detail as the attachment.

The client config CP send logs to Splunk. You know Splunk pays as flow rate. So, he didn't want to too many low severity logs send to it.

Preview file
197 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-16 05:25 PM
In response to Herschel_Liang

When you configure the gateway to send Firewall blade logs via syslog as described in sk87560, they are not sent via syslogd.

The configuration of /etc/syslogd.conf is therefore irrelevant in this case.

There is no mechanism to filter what logs are sent: it's either all Firewall blade logs or nothing.

FYI, the method described in sk87560 only sends Firewall blade logs and not logs from other Software Blades.

For other blades, you should use Log Exporter guide

Log Exporter currently doesn't support filtering logs either (other than filtering out Firewall blade logs) but I believe we plan to add this to Log Exporter in the future.

0 Kudos
Herschel_Liang
Collaborator
‎2018-11-16 05:38 PM
In response to PhoneBoy

Em.............So, could you pls describe when will suitable for sk92798? Does sk92798 only used in local disk?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-16 05:54 PM
In response to Herschel_Liang

sk92798 is only relevant for events that originate from the Gaia OS itself, i.e. things that would normally appear in /var/log/messages.

Some/all of these events can be forwarded to an external syslog server, depending on how you implement sk92798.

Herschel_Liang
Collaborator
‎2018-11-16 06:12 PM
In response to PhoneBoy

All right. Understand. THX!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events