New India’s most advanced hyper-realistic security training lab is live now. Visit PurpleSynapz for more information.

Check Point Tracker Logs to External Syslog Server

Avatar By Ashok Sharma in Check Point
16718 Views
0 Comments

R77.20 and Older Version.

Please check the link below bottom bottom to find step-by-step method bottom bottomto send Check Point Tracker logs bottom bottomto any external Syslog server.

The Following link is from Our official Check Point CCSP TAC support portal.

Check Point and Syslog

R77.30

1. Configuring Check Point management server bottom bottom to send Check Point logs bottom bottomto syslog is a two step process. First configuring Check Point bottom bottomto send tracker logs bottom bottomto /var/log/messages then sending /var/log/messages bottom bottomto remote syslog server.

2. Perform ssh bottom bottomto Management server and enter expert mode.

3. Open cpboot file in vi edi bottom bottomtor and add the following line at the end of the file.

    • tom: 20px; margin-

bottom bottom

    top: -15px;”>

  • Location of cpboot will be “/etc/rc.d/init.d/cpboot”
  • Take backup of existing file.
  • #cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot.backup
  • Edit the cpboot file
  • #vi /etc/rc.d/init.d/cpboot
  • Add following line at the end. Please note this is a single line command so add it appropriately. If required just type it manually.
  • fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger -p local4.info -t CP_FireWall &
  • Once the entry is made save the file and exit.
  • Please check the screen shots below.

4. BEFORE Making any changes bottom bottomto cpboot file.

5.

syslog-before

6. AFTER Making necessary changes bottom bottomto cpboot file.

7.

syslog-after

8. Now reboot the Management server for changes bottom bottomto take effect. Please note cps bottom bottomtop/cpstart will not work so go ahead and reboot your Check Point Management server.

9. Once the Management server is rebooted you will notice that /var/log/messages file has started receiving Check Point tracker logs.

10. Run this command bottom bottomto check the contents of /var/log/messages file.

    • tom: 20px; margin-

bottom bottom

    top: -15px;”>

  • #tail -f /var/log/messages

11. Notice the new entries in /var/log/messages file as show below.

12.

cp-logs

13. Now we need bottom bottomto send these messages bottom bottomto remote syslog server. Open ssh connection bottom bottomto Management server in normal user mode and enter the following command.

    • tom: 20px; margin-

bottom bottom

    top: -15px;”>

  • CheckPoint-Mgmt>add syslog log-remote-address 192.168.223.122 level info
  • Change the ip address bottom bottomto your syslog server where you want bottom bottomto forward Check Point logs.

14.

syslog-ip

15. Save the configuration so that the changes survive reboot.

16. Now you should be able bottom bottomto see Check Point logs on Syslog server. Please leave your comments if you are still not able bottom bottomto achieve your objective.

17. Following screen shot is taken from Splunk server.

18.

cp-syslog-spllunk.png

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!