Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tiago_Cerqueira
Contributor

Syslog messages from the Security Gateway

Hi,

We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.

I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.

What is the best course of action to achieve logging to an external server? What is usually used on these situations?

4 Replies
PhoneBoy
Admin
Admin

The "Send Traffic to the Management Server" options puts those logs in the same place you see your traffic logs.

Those, of course, can be exported from there with Log Exporter just like the traffic logs.

However, I don't know that it changes the format of the log entries any.

0 Kudos
Huseyin_Rencber
Collaborator

Hi Tiago,

You can configure gateways to send logs directly to syslog servers. Checkpoint supports RFC 3164 and RFC 5424. Can you share a sample of syslog messages that could not parse on the syslog server.

"Sending traffic to management server" is a good option, after enabling this you will able to see firewall traffic related logs and system messages together. I would not export it to additional syslog server, you can see both logs in management server.

0 Kudos
Tiago_Cerqueira
Contributor

Hi Huseyin,

The issue we're having is that the messages are missing the hostname, timestamp, and syslog protocol version. This has been previously described under sk100727.

We were investigating if it was a viable option to export the logs to the management server and export them out to an external syslog and parse it there, since they are exported in CEF format and that would allow us to parse the events.

We are on R80.10 (with some install base on R77.30, to be brought to R80.10 in the next few months). We are not looking to install the hotfix described in the SK, as it will require extra maintainability, as well as introducing potentially less stable code on the chassis.

CarstenWeber
Participant

poignant sarcasm on {

Meanwhile there is a fixed version R81 from take 34 (36), where this is inkluded. Only 12 years after the RFC has been "modernized" and 7 years after this has been mentioned in sk100727.

} poignant sarkassm off 😐

previously known as (pka.) Carsten_Weber
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events