Configuring System Logging in Gaia Clish

Syntax for System Logging configuration

To send the Gaia system logs to a Check Point Management Server:

set syslog cplogs {on | off}

To send the Gaia configuration audit logs to a Check Point Management Server:

set syslog mgmtauditlogs {on | off}

To save the Gaia configuration audit logs:

set syslog auditlog {disable | permanent}

To configure the file name of the Gaia configuration audit log:

set syslog filename /<Path>/<File>

To show the Gaia system logging configuration:

show syslog

all

      auditlog

      cplogs

      filename

      mgmtauditlogs

Syntax for Remote System Logging configuration

To send Gaia system logs to a remote syslog server:

add syslog log-remote-address <IPv4 Address> level <Severity>

To show the Gaia system logging configuration:

show syslog

all

      log-remote-address <IPv4 Address>

      log-remote-addresses

To stop sending Gaia system logs to the specific remote server:

delete syslog log-remote-address <IPv4 Address> [level <Severity>]

CLI Parameters

Parameter

Description

cplogs {on | off}

Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server:

on - Send Gaia system syslogs
off - Do not send Gaia syslogs

Default: off

Note - This command corresponds to the Send Syslog messages to management server option in the Gaia Portal > System Management > System Logging.

mgmtauditlogs {on | off}

Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server:

on - Send Gaia audit logs
off - Do not send Gaia audit logs

Default: on

Note - This command corresponds to the Send audit logs to management server upon successful configuration option in the Gaia Portal > System Management > System Logging.

auditlog {disable | permanent}

Specifies if the Gaia saves the logs for configuration changes that authorized users make:

disable - Disables the Gaia audit log facility
permanent - Enables the Gaia audit log facility to save information about all successful changes in the Gaia configuration. To specify a destination file, run the set syslog filename </Path/File> command (otherwise, Gaia uses the default /var/log/messages file).

Default: permanent

Note - This command corresponds to the Send audit logs to syslog upon successful configuration option in the Gaia Portal > System Management > System Logging.

/<Path>/<File>

Configures the full path and file name of the system log.

Default: /var/log/messages

Note in Gaia Portal does not let you configure this setting.

log-remote-address

Configures Gaia to send system logs to a remote syslog server.

Important - Do not configure two Gaia computers to send system logs to each other - directly, or indirectly. Such configuration creates a syslog forwarding loop, which causes all syslog messages to repeat indefinitely on both Gaia computers.

Note - This command corresponds to the Gaia Portal > System Management > Remote System Logging.

<IPv4 Address>

IPv4 address of the remote syslog server, to which Gaia sends its system logs.

Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255])
Default: No default value

<Severity>

Syslog severity level for the system logging.

These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):

emerg - System is unusable
alert - Action must be taken immediately
crit - Critical conditions
err - Error conditions
warning - Warning conditions
notice - Normal but significant condition
info - Informational messages
debug - Debug-level messages
all - All messages

Notes:

Until you configure at least one severity level for a given remote server, Gaia does not send syslog messages.
If you specify multiple severities, the most general least severe severity always takes precedence.

Example

gaia> set syslog auditlog permanent

gaia> set syslog filename /var/log/system_logs.txt

gaia> set syslog mgmtauditlogs on

gaia> set syslog cplogs on

gaia> set syslog log-remote-address 192.168.2.1 level all

gaia> show syslog all

Syslog Parameters:

    Remote Address 192.168.2.1

        Levels all

    Auditlog permanent

    Destination Log Filename /var/log/system_logs.txt

gaia>

gaia>show syslog auditlog

permanent

gaia>

gaia> show syslog cplogs

Sending syslog syslogs to Check Point's logs is enabled

gaia>

gaia> show syslog mgmtauditlogs

Sending audit logs to Management Serever is enabled

gaia>

gaia> show syslog filename

/var/log/system_logs.txt

gaia>

System Configuration Files

By default, Gaia OS saves the Syslog configuration in these files:

/etc/syslog.conf
/etc/sysconfig/syslog

If it is necessary to add specific settings manually in these files (that Gaia OS does not have), then it is necessary to make these files immutable, so Gaia OS does not overwrite them:

Connect to the command line on Gaia OS.
Log in to the Expert mode.
Edit the applicable Syslog configuration file as required in your environment.
Examine the current attributes on the applicable configuration file you edited:
- lsattr /etc/syslog.conf
- lsattr /etc/sysconfig/syslog
Add the immutable attribute on the applicable configuration file you edited:
- chattr +i /etc/syslog.conf
- chattr +i /etc/sysconfig/syslog
Examine the current attributes on the applicable configuration file you edited:
- lsattr /etc/syslog.conf
- lsattr /etc/sysconfig/syslog

Restart the Syslog service:

service syslog restart

Warning - While the Syslog configuration files are immutable:

Gaia OS cannot save the changes in the Syslog configuration you make in Gaia Portal or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
Gaia OS cannot restore a Gaia Backup.

To remove the immutable attribute from a file, use this command:

chattr -i <file>