Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PabloOttawa
Explorer

Configure redundant syslog servers

Hello folks,

We have a Checkpoint infrastructure compised by a management server and two 5200 gateways, We have configured our logging infrastructure with 2 syslog servers and we would like to send the logs from the management server and the security gateways to those two syslog servers.

Gaia has the ability by either the command line or the GUI to configure multiple syslog servers. However, they would be at the same level and both active at the same time; hence, my log entries will be duplicated.

We would like to configure the log servers in active-passive mode; I know this is possible in *NIX systems by editing the file rsyslog.conf where you specify the primary and secondary server, and using TCP as the protocol. However, the file /etc/syslog.conf has a beautiful comment that says "DO NOT EDIT" (obviously managed from the CP engine); but by using the GUI or the command line, I can only specify the target server, I cannot specify the protocol (TCP vs. UDP) nor the server priority/failover.

How would you configure active/passive syslog targets?

Thanks,

Pablo

PS I've also tried to configure those servers as load-balanced using Checkpoint Load-balancing mechanisms. Works like a charm for other servers, but when the gateway itself tries to contact the LB address (that lives on the same gateway) it fails.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Technically, it's not a supported configuration.
If you can make the changes via syslog.conf manually, you can prevent the file from being overwritten by using chattr +i on the file.
This will, of course, prevent any syslog-related changes from being made via the officially supported mechanisms.

0 Kudos