This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Network_Engine2
Participant
‎2019-04-02 02:57 AM

R80.10 API logs

Hi,

So we've been exporting our gateway *audit logs* regularly in 77.30 to splunk, and now we upgraded to 80.10.

With the new API, we are wondering if it's possible to export the logs of the API.

Let's say for example, if someone ran a "show group" command from the management server, it's log would be exported and seen on splunk.

Is it possible? 

 

0 Kudos
6 Replies
Nick_Doropoulos
Advisor
‎2019-04-02 03:38 AM

Have you tried the Log Exporter for that purpose (sk122323)?

You would need to install the Check_Point_R80.10_Log_Exporter_T50_sk122323_FULL.tgz package first as far as I can see and then I would refer you to the most relevant section for you:

Splunk

It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

For more information about installation and deployment, please see the Check Point App for Splunk User Guide.

In addition, in order to configure an encrypted connection, do the following:

1. Generate server pem file:
    cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

2. Update the inputs.conf file on the Splunk server
    vi /opt/splunk/etc/apps/search/local/inputs.conf

    [SSL]
    serverCert = /etc/ssl/my-certs/splunk.pem
    sslPassword = <challenge password>
    requireClientCert = true

    [tcp-ssl://<port>]
    index = <index>

3. Update the server.conf file on the Splunk server
    vi /opt/splunk/etc/system/local/server.conf

    [sslConfig]
    sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

4. Restart Splunk
    /opt/splunk/bin/splunk restart

 

I hope this helps.

PhoneBoy
Admin
Admin
‎2019-04-02 12:18 PM

All API sessions appear in the audit logs, which should get exported to Splunk via Log Exporter or LEA.
Network_Engine2
Participant
‎2019-04-29 01:42 AM
In response to PhoneBoy

Hi, i am using log exporter but the only logs it exports are clish logs or ssh connections, but not the linux expert commands. is there any other configuration i need to make?

PhoneBoy
Admin
Admin
‎2019-04-29 06:41 AM
In response to Network_Engine2

First of all, expert commands aren't logged at all by default, but clish commands are.
Log Exporter does not get the OS logs, but you can configure Gaia to send them via syslog in the WebUI or clish (can't remember the command offhand).
0 Kudos
Network_Engine2
Participant
‎2019-04-30 01:02 AM
In response to PhoneBoy

ok, what about API commands through the expert, are they logged? it seems odd to me that you can't see what was searched with api...

PhoneBoy
Admin
Admin
‎2019-04-30 09:47 AM
In response to Network_Engine2

mgmt_cli commands are API calls, just with a specific client.
You can see what calls are made via $FWDIR/log/api.elg.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events