Overview

Security Management Server generates audit logs for the activities done on its Database such as,

1. Login / Logout

2. Object Manipulation (Create / Modify / Delete)

3. Publishing the Changes

4. Policy Installation

All the above activities are stored in $FWDIR/log/fw.adtlog file on Management Server Device.

This article provides a way to forward Audit logs from Management Server to an External Syslog Server.

Procedure

1) Add the below line in the /etc/rc.d/init.d/cpboot for sending the Audit logs to /var/log/messages file,

fw log -f -t -n -l $FWDIR/log/fw.adtlog|logger -p local5.info -t CP_FireWall &

The original content of /etc/rc.d/init.d/cpboot is as shown below,

Image_1

 

 

After making the changes the content of this file will be,

Image_2

 

 

 2) Reboot the Management Server for changes to take effect.

3) Provide the remote syslog server details on Management Server with the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

> save config

Image_3

 

 

4) Now, generate some audit logs on the Management Server by, SmartDashboard Login / Logout / Object Manipulation / Publish / Installing the Policy.

Login / Logout Activity

1) Access the SmartDashboard with the username & password combination.

2) The audit log for the same on SmartDashboard Logs Section will be,

Image_4

 

 

Image_5

 

 

3) On Syslog Server, this activity can be seen as:

Image_6

 

 

4) The same when a user logged out from the SmartDasboard:

Image_7

 

 

Image_8

 

 

Object Manipulation (Create) & Publish Activity

1) Here, I created a test network object, RK_Test_NW (192.168.17.0/24) in SmartDashboard and published the changes.

Image_9

 

 

2) The audit log for the same can be seen as:

Image_10

 

 

Image-11

 

 

Image-12

 

 

3) On Syslog Server this activity will be recorded as:

Image-13

 

 

Policy Installation Activity

1) Installed the Firewall and Threat Prevention Policies on my gateway.

Image-14

 

 

2) The audit logs for policy installation will be,

Image-15

 

 

3) On Syslog Server this will be seen as:

Image-16

 

 

Object Manipulation (Delete) & Publishing Changes

1)  Deleted the test network object, RK_Test_NW which we created previously from the SmartDahboard and published the changes. The audit log for the same is,

 
 

Image-17

 

 

Image-18

 

 

Image-19

 

 

2) The logs on Syslog Server will be,

Image-20

 

 

For additional information, Feel free to write it in the comment’s section

 

Raghu K

Raghu K

Senior Network Security Engineer at QOS Technology
Raghu K

Latest posts by Raghu K (see all)

    Leave a Reply

    5 Comments on "Forwarding Check Point Audit Logs to Syslog Server"

    Notify of
    avatar
    Sort by:   newest | oldest | most voted
    Juan
    Guest

    hello,

    Thanks very much for the article. It works perfectly. I was looking it into the support database on checkpoint but doesn’t exist.

    In your experience, this procedure can affect in a negative way the services in the management server… it is completely safe to execute?

    Thanks in advance for your attention.

    raghu
    Guest

    Hi Juan,

    Thanks for the feedback!.

    We have implemented the above solution on few customer’s live setup and no issues reported on the performance of the devices post implementing.

    Raghu K

    Erikas
    Guest

    Hi,
    When you issue command > add syslog log-remote-address level info
    syslogd daemon (listening port 514 for syslog messages on management server) is shut down. There is an article you can read: Gaia OS syslogd daemon and Check Point syslog daemon can not run simultaneously.
    there is a solution:
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115392&partition=Advanced&product=Security

    Yuber
    Guest

    Hi,
    Thank you for this configuration, it was very useful for me.

    Suresh
    Guest

    can you share the steps to perform the same on MDS. Means all the audit changes done on individual CMA should be exported to external syslog…
    Thanks in Advance

    wpDiscuz