R77.20 and Older Version.

Please check the link below to find step-by-step method to send Check Point Tracker logs to any external Syslog server.

The Following link is from Our official Check Point CCSP TAC support portal.

Check Point and Syslog

R77.30

  1. Configuring Check Point management server to send Check Point logs to syslog is a two step process.  First configuring Check Point to send tracker logs to /var/log/messages then sending /var/log/messages to remote syslog server.
  2. Perform ssh to Management server and enter expert mode.
  3. Open cpboot file in vi editor and add the following line at the end of the file.
    • Location of cpboot will be “/etc/rc.d/init.d/cpboot”
    • Take backup of existing file.
    • #cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot.backup
    • Edit the cpboot file
    • #vi /etc/rc.d/init.d/cpboot
    • Add following line at the end. Please note this is a single line command so add it appropriately. If required just type it manually.
    • fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logge
      r -p local4.info -t CP_FireWall &
    • Once the entry is made save the file and exit.
    • Please check the screen shots below.
  4. BEFORE Making any changes to cpboot file.
  5. syslog-before
  6. AFTER Making necessary changes to cpboot file.
  7. syslog-after
  8. Now reboot the Management server for changes to take effect. Please note cpstop/cpstart will not work so go ahead and reboot your Check Point Management server.
  9. Once the Management server is rebooted you will notice that /var/log/messages file has started receiving Check Point tracker logs.
  10. Run this command to check the contents of /var/log/messages file.
    • #tail -f /var/log/messages
  11. Notice the new entries in /var/log/messages file as show below.
  12. cp-logs
  13. Now we need to send these messages to remote syslog server. Open ssh connection to Management server in normal user mode and enter the following command.
    • CheckPoint-Mgmt>add syslog log-remote-address 192.168.223.122 level info
    • Change the ip address to your syslog server where you want to forward Check Point logs.
  14. syslog-ip
  15. Save the configuration so that the changes survive reboot.
  16. Now you should be able to see Check Point logs on Syslog server. Please leave your comments if you are still not able to achieve your objective.
  17. Following screen shot is taken from Splunk server.
  18. cp-syslog-spllunk.png

Latest posts by QOS Technology (see all)

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz