Forwarding Check Point Audit Logs to Syslog Server

By Raghu K in Check Point
1760 Views
0 Comments

Overview

Security Management Server generates audit logs for the activities done on its Database such as:

1. Login / Logout

2. Object Manipulation (Create / Modify / Delete)

3. Publishing the Changes

4. Policy Installation

All the above activities are stored in $FWDIR/log/fw.adtlog file on Management Server Device.

This article provides a way to forward Audit logs from Management Server to an External Syslog Server.

Procedure

1) Add the below line in the /etc/rc.d/init.d/cpboot for sending the Audit logs to /var/log/messages file.

fw log -f -t -n -l $FWDIR/log/fw.adtlog|logger -p local5.info -t CP_FireWall &

The original content of /etc/rc.d/init.d/cpboot is as shown below:

Image_1

After making the changes the content of this file will be:

Image_2

 2) Reboot the Management Server for changes to take effect.

3) Provide the remote syslog server details on Management Server with the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

> save config

Image_3

4) Now, generate some audit logs on the Management Server by, SmartDashboard Login / Logout / Object Manipulation / Publish / Installing the Policy.

Login / Logout Activity

1) Access the SmartDashboard with the username & password combination.

2) The audit log for the same on SmartDashboard Logs Section will be:

Image_4

Image_5

3) On Syslog Server, this activity can be seen as:

Image_6

4) The same when a user logged out from the SmartDasboard:

Image_7

Image_8

Object Manipulation (Create) & Publish Activity

1) Here, I created a test network object, RK_Test_NW (192.168.17.0/24) in SmartDashboard and published the changes.

Image_9

2) The audit log for the same can be seen as:

Image_10

Image-11

Image-12

3) On Syslog Server this activity will be recorded as:

Image-13

Policy Installation Activity

1) Installed the Firewall and Threat Prevention Policies on my gateway.

Image-14

2) The audit logs for policy installation will be:

Image-15

3) On Syslog Server this will be seen as:

Image-16

Object Manipulation (Delete) & Publishing Changes

1)  Deleted the test network object, RK_Test_NW which we created previously from the SmartDahboard and published the changes. The audit log for the same is:

Image-17

Image-18

Image-19

2) The logs on Syslog Server will be:

Image-20

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!

Big News 🙂 - FWHealth (Firewall Health Reporting Tool) is now 100% Free, Forever.Know More
+