Print Download PDF Send Feedback

Previous

Next

Working with Syslog Servers

Syslog (System Logging Protocol) is a standard protocol used to send system log or event messages to a specific server, the syslog server. The syslog protocol is enabled on most network devices such as routers and switches.

Use Case

Syslog is used by many log analysis tools included in the cloud. If you want to use these tools, make sure Check Point logs are sent to from the gateway to the syslog server in syslog format.

By default, gateway logs are sent to the Security Management Server. But you can configure gateways to send logs directly to syslog servers.

  1. Define syslog servers.
  2. Update the logging properties of the gateways.

These syslog protocols are supported: RFC 3164 (old) and RFC 5424 (new)

These features are not supported: IPv6 logs and Software Blade logs.

To create a syslog server:

  1. Open Object Explorer > New > Server > More > Syslog.
  2. Configure these fields:
    • Name - Enter a name for this server, to be a unique network object.
    • Host - Select an existing host or click New to define a new computer or appliance.
    • Port - Enter the port number for syslog traffic. (Default = 514)
    • Version - Select BSD Protocol or Syslog Protocol.
  3. Click OK.

    Note - Syslog is not an encrypted protocol. Make sure the Security Gateway and the Log Proxy are located close to each other and that they communicate over a secure network.

    You can configure a gateway to send logs to multiple syslog servers. The syslog servers must be the same type: BSD Protocol or Syslog Protocol.

To send the logs of a gateway to syslog servers:

  1. In SmartConsole on the gateway Properties > General Properties page > Management tab make sure Logging & Status is selected.
  2. On the Logs page, in the Send logs and alerts to these log servers table, click the green (+) button to add syslog servers.

    Note - You cannot configure a Syslog server as a backup server.

  3. Click OK.
  4. Install policy.

The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature:

0 = Disabled (default)

1 = Enabled

You can enable or disable Syslog in Kernel temporarily (until the system reboots) or permanently (until manually disabled).

To temporarily enable Syslog in Kernel on a Security Gateway:

  1. Run: # fw ctl set int fwsyslog_enable 1
  2. Install Policy.

To permanently enable Syslog in Kernel on a Security Gateway:

  1. Run:

    echo fwsyslog_enable=1 >> $FWDIR/modules/fwkern.conf

  2. Reboot the Security Gateway or cluster members.

To disable Syslog in Kernel temporarily:

Run: # fw ctl set int fwsyslog_enable 0

To disable Syslog in Kernel permanently:

  1. Open $FWDIR/modules/fwkern.conf in a text editor and do one of these actions:
    • Set fwsyslog_enable=0

      or

    • Delete the fwsyslog_enable line.
  2. Reboot the Security Gateway.

To see the Syslog in Kernel status:

[Expert@host:0]# fw ctl get int fwsyslog_enable

You can see the count of logs sent to syslog from the kernel. Log counters start when you install the policy.

To see log count for an instance:

[Expert@host:0]# fw -i <instance_number> ctl get size fwsyslog_nlogs_counter

Sample output:

fwsyslog_nlogs_counter = 21

To see log count for all instances:

  1. Open two command line connections to the Security Gateway.
  2. On the first CLI connection, run: # fw ctl zdebug
  3. On the second CLI connection, run: # fw ctl set size fwsyslog_print_counter 1
  4. On the first shell, see the counter for each instance and the sum of all instances.

Sample output:

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;

;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;

;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;

;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;

To see the Syslog in Kernel status:

[Expert@host:0]# fw ctl get int fwsyslog_enable

You can see the count of logs sent to syslog from the kernel. Log counters start when you install the policy.

To see log count for an instance:

[Expert@host:0]# fw -i <instance_number> ctl get size fwsyslog_nlogs_counter

Sample output:

fwsyslog_nlogs_counter = 21

To see log count for all instances:

  1. Open two command line connections to the Security Gateway.
  2. On the first CLI connection, run: # fw ctl zdebug
  3. On the second CLI connection, run: # fw ctl set size fwsyslog_print_counter 1
  4. On the first shell, see the counter for each instance and the sum of all instances.

Sample output:

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;

;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;

;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;

;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;

For more on syslog, see: Manual Syslog Parsing

22 September 2021
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.