Difference between revisions of "Export logs via Syslog"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Check Point '''Back to Gaia''' Forwarding Traffic Logs stored on the Management Server to Syslog Server 1. Add the below lines in the /etc/...")
 
 
(2 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
1. Add the below lines in the /etc/rc.d/init.d/cpboot file.
 
1. Add the below lines in the /etc/rc.d/init.d/cpboot file.
  
  fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed /^$/d’ | logger -p local4.info -t CP_FireWall &
+
  fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &
  
 
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.
 
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.
  
3. Now, send these messages to remote syslog server. Configure the following in clash:
+
3. Now, send these messages to remote syslog server. Configure the following in clish:
  
 
  > add syslog log-remote-address <IP-address_of_Syslog_Server> level info
 
  > add syslog log-remote-address <IP-address_of_Syslog_Server> level info
 +
 +
If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway:
 +
 +
# fw ctl set int fwsyslog_enable 1
 +
 +
And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)

Latest revision as of 18:38, 25 February 2019

Back to Gaia

Forwarding Traffic Logs stored on the Management Server to Syslog Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.

3. Now, send these messages to remote syslog server. Configure the following in clish:

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway:

# fw ctl set int fwsyslog_enable 1

And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)