Manual Syslog Parsing

To parse a syslog file:

1. Create a new parsing file called <device product name>.C.
2. Put this file in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.
3. On the Log Server, edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C to add a line that includes the new parsing file. For example:

   : ( :command ( :cmd_name (include) :file_name ("snortPolicy.C") ) )

4. Optional: If required:
   1. Create a new dictionary file called <device product name>_dict.ini.
   2. Put it in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.

      A dictionary translates values with the same meaning from logs from different devices into a common value. This common value is used in the Event Definitions.

   3. Edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C on the Log Server.
   4. Add a line to include the dictionary file. For example:

   :filename ("snort_dict.ini")

5. To examine the parsing, send syslog samples to a Check Point Log Server.

To send syslog samples:

1. To configure the Log Server to accept syslogs, connect to the Security Management Server with SmartConsole.
2. In Logs and Masters > Additional Logging Configuration, enable the property Accept Syslog messages.
3. Edit the Log Server network object.
4. Run the commands cpstop & cpstart, or fw kill fwd & fwd –n.

   The fwd procedure on the Log Server restarts.

5. Send syslogs from the device itself, or from a syslog generator.

   For example: Kiwi Syslog Message Generator, available at http://www.kiwisyslog.com/software_downloads.htm#sysloggen.

Troubleshooting:

If SmartConsole does not show the logs as expected, there can be problems with the parsing files:

• If there is a syntax error in the parsing files, an error message shows. To read a specified error message, set the TDERROR_ALL_FTPARSER value to 5 before you run the procedure fwd -n.
• If the syslogs show in SmartConsole with 'Product syslog', the log was not parsed properly, but as a general syslog.
• If the Product field contains another product (not the one you have just added) this means there is a problem with the other product parsing file. Report this to the Check Point SmartEvent team.
• If the product reports correctly in the log, look for all the fields you extracted. Some of them are in the Information section. Some fields can be seen only when you select More Columns.