Hello, 

Thanks for your response. 
I have defined the Syslog server IP address in Hosts and created server with Name, Host IP address and Port Number. 

For R80.40, I have added the new Syslog Server to the Security Gateway logging targets - Security Gateway > Logs.  

For some reason, Logs are not received in remote server. Thanks again for your response. Your assist will be of great help to me. 

Regards
Muthu Mahadevan

Hi Muthu,

Why not using the Log Exporter?

Hello,

I have put the below commands - 

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

cp_log_export restart name to_RemoteServer

I am able to see in the log file in Smartconsole that 

* Source IP - Firewall 

* Destination - Remote server IP

* Service - UDP/port number

* Description - Traffic accepted. 

But the logs are not appearing in the remote server. Could you please let me know the changes to make to receive the logs in remote logging ??

Regards
Muthu Mahadevan

Also, Just to add the previous comment,

When I check for 

[Expert@gw-firewall:0]# fw ctl get int fwsyslog_enable
fwsyslog_enable = 1

But still Logs are not going to Remote server.

Regards
Muthu Mahadevan

What we are missing here is any information about the syslog server you are using and the OS it is running on.

You may have to configure syslog sources from which your server accepts logs and, perhaps, create OS-specific firewall rules allowing inbound traffic on chosen ports.

Hello Vladimir,

Thanks for your response. I have Remote Logging server running in Ubuntu (VirtualBox). I have added security policy in SmartConsole with 

Source address - Firewall IP

Destination address - Remote Logging IP address

Action - Accept

Could you please let me know the changes to make if the remote server is running in Ubuntu version ??

Regards
Muthu Mahadevan

Firewall will send only Gaia level logs, not the firewall logs. If you have configured log exporter on the management server as per:

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

and configured the

$AllowedSender UDP, 127.0.0.1, Y.Y.Y.Y/YY

on the Ubuntu side, where Y.Y.Y.Y/YY is the IP and the subnet of the Check Point management server,

then run:

tcpdump -vv port 514

on Ubuntu to see if you are receiving logs from Check Point.

Hello,

I also wanted to check with you with the below configuration,

[Expert@gw-firewall:0]# cp_log_export show

name: CP_FW
enabled: true
target-server: 10.0.2.15
target-port: 1514
protocol: udp
format: syslog
read-mode: raw
export-link: false
export-attachment-link: false

Also when I check for the logs in SmartConsole, Source - Firewall IP, Destination - Remote Logging IP and Action - accept. 

Since the status is showing enabled and Connection action is appearing accept in logs, can I assume the logs are sent from firewall to my remote logging ?? Issue is near remote logging ??

You can assume that the issue is on the Ubuntu side.

Also, if information in your last post is correct, on Check Point side you are using UDP port 1514 instead of a standard syslog port UDP 514 where Ubuntu may be expecting this traffic.

Unless you have changed the default syslog service port on Ubuntu, I suggest changing it back to 514 on Check Point.

Then use tcpdump on Ubuntu to see if syslog traffic arriving there.

Hello,

Thanks for all the Inputs. 

Issue was in Ubuntu side and I have set the redirect Configuration to receive input from Firewall.

Regards
Muthu Mahadevan