Importing Syslog Messages

Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the Check Point log format to process third-party syslog messages.

The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.

To import syslog messages, define your own syslog parser and install it on the Log Server.

SmartEvent can take the reformatted logs and convert them into security events.

Generating a Syslog Parser and Importing syslog Messages

To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:

1. Import some sample syslog messages to the Log Parsing Editor.
2. Define the mapping between syslog fields and the Check Point log fields.
3. Install the syslog parser on the Log Server.

After you imported the syslog messages to the Log Server, you can see them in SmartConsole, in the Logs & Monitor > Logs tab.

Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.

Configuring SmartEvent to Read Imported Syslog Messages

After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server (and other OPSEC LEA clients), as other Check Point logs. SmartEvent convert the syslog messages into security events.

To configure the SmartEvent Server to read logs from this Log Server:

1. Configure SmartEvent to read logs from the Log Server.
2. In SmartEvent or in the SmartConsole event views, make a query to filter by the Product Name field. This field uniquely identifies the events that are created from the syslog messages.