R77.20 and Older Version.
Please check the link below to find step-by-step method to send Check Point Tracker logs to any external Syslog server.
The Following link is from Our official Check Point CCSP TAC support portal.
- Configuring Check Point management server to send Check Point logs to syslog is a two step process. First configuring Check Point to send tracker logs to /var/log/messages then sending /var/log/messages to remote syslog server.
- Perform ssh to Management server and enter expert mode.
- Open cpboot file in vi editor and add the following line at the end of the file.
- Location of cpboot will be “/etc/rc.d/init.d/cpboot”
- Take backup of existing file.
- #cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot.backup
- Edit the cpboot file
- #vi /etc/rc.d/init.d/cpboot
- Add following line at the end. Please note this is a single line command so add it appropriately. If required just type it manually.
- fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logge
r -p local4.info -t CP_FireWall &
- Once the entry is made save the file and exit.
- Please check the screen shots below.
- BEFORE Making any changes to cpboot file.
- AFTER Making necessary changes to cpboot file.
- Now reboot the Management server for changes to take effect. Please note cpstop/cpstart will not work so go ahead and reboot your Check Point Management server.
- Once the Management server is rebooted you will notice that /var/log/messages file has started receiving Check Point tracker logs.
- Run this command to check the contents of /var/log/messages file.
- #tail -f /var/log/messages
- Notice the new entries in /var/log/messages file as show below.
- Now we need to send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.
- CheckPoint-Mgmt>add syslog log-remote-address 192.168.223.122 level info
- Change the ip address to your syslog server where you want to forward Check Point logs.
- Save the configuration so that the changes survive reboot.
- Now you should be able to see Check Point logs on Syslog server. Please leave your comments if you are still not able to achieve your objective.
- Following screen shot is taken from Splunk server.