This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tiago_Cerqueira
Contributor
‎2018-06-16 10:26 AM

Syslog messages from the Security Gateway

Hi,

We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.

I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.

What is the best course of action to achieve logging to an external server? What is usually used on these situations?

4 Replies
PhoneBoy
Admin
Admin
‎2018-06-16 07:40 PM

The "Send Traffic to the Management Server" options puts those logs in the same place you see your traffic logs.

Those, of course, can be exported from there with Log Exporter just like the traffic logs.

However, I don't know that it changes the format of the log entries any.

0 Kudos
Huseyin_Rencber
Collaborator
‎2018-06-16 10:15 PM

Hi Tiago,

You can configure gateways to send logs directly to syslog servers. Checkpoint supports RFC 3164 and RFC 5424. Can you share a sample of syslog messages that could not parse on the syslog server.

"Sending traffic to management server" is a good option, after enabling this you will able to see firewall traffic related logs and system messages together. I would not export it to additional syslog server, you can see both logs in management server.

0 Kudos
Tiago_Cerqueira
Contributor
‎2018-06-17 10:47 PM
In response to Huseyin_Rencber

Hi Huseyin,

The issue we're having is that the messages are missing the hostname, timestamp, and syslog protocol version. This has been previously described under sk100727.

We were investigating if it was a viable option to export the logs to the management server and export them out to an external syslog and parse it there, since they are exported in CEF format and that would allow us to parse the events.

We are on R80.10 (with some install base on R77.30, to be brought to R80.10 in the next few months). We are not looking to install the hotfix described in the SK, as it will require extra maintainability, as well as introducing potentially less stable code on the chassis.

CarstenWeber
Participant
‎2022-06-23 07:15 AM
In response to Tiago_Cerqueira

poignant sarcasm on {

Meanwhile there is a fixed version R81 from take 34 (36), where this is inkluded. Only 12 years after the RFC has been "modernized" and 7 years after this has been mentioned in sk100727.

} poignant sarkassm off 😐

previously known as (pka.) Carsten_Weber
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events