Check Point Tracker Logs to External Syslog Server

R77.20 and Older Version.

Please check the link below bottom bottom to find step-by-step method bottom bottomto send Check Point Tracker logs bottom bottomto any external Syslog server.

The Following link is from Our official Check Point CCSP TAC support portal.

Check Point and Syslog

R77.30

1. Configuring Check Point management server bottom bottom to send Check Point logs bottom bottomto syslog is a two step process. First configuring Check Point bottom bottomto send tracker logs bottom bottomto /var/log/messages then sending /var/log/messages bottom bottomto remote syslog server.

2. Perform ssh bottom bottomto Management server and enter expert mode.

3. Open cpboot file in vi edi bottom bottomtor and add the following line at the end of the file.

• tom: 20px; margin-

bottom bottom

top: -15px;”>
• Location of cpboot will be “/etc/rc.d/init.d/cpboot”
• Take backup of existing file.
• #cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot.backup
• Edit the cpboot file
• #vi /etc/rc.d/init.d/cpboot
• Add following line at the end. Please note this is a single line command so add it appropriately. If required just type it manually.
• fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &
• Once the entry is made save the file and exit.
• Please check the screen shots below.

4. BEFORE Making any changes bottom bottomto cpboot file.

5.

6. AFTER Making necessary changes bottom bottomto cpboot file.

7.

8. Now reboot the Management server for changes bottom bottomto take effect. Please note cps bottom bottomtop/cpstart will not work so go ahead and reboot your Check Point Management server.

9. Once the Management server is rebooted you will notice that /var/log/messages file has started receiving Check Point tracker logs.

10. Run this command bottom bottomto check the contents of /var/log/messages file.

• tom: 20px; margin-

bottom bottom

top: -15px;”>
• #tail -f /var/log/messages

11. Notice the new entries in /var/log/messages file as show below.

12.

13. Now we need bottom bottomto send these messages bottom bottomto remote syslog server. Open ssh connection bottom bottomto Management server in normal user mode and enter the following command.

• tom: 20px; margin-

bottom bottom

top: -15px;”>
• CheckPoint-Mgmt>add syslog log-remote-address 192.168.223.122 level info
• Change the ip address bottom bottomto your syslog server where you want bottom bottomto forward Check Point logs.

14.

15. Save the configuration so that the changes survive reboot.

16. Now you should be able bottom bottomto see Check Point logs on Syslog server. Please leave your comments if you are still not able bottom bottomto achieve your objective.

17. Following screen shot is taken from Splunk server.

18.