Configuring System Logging in Gaia Portal

This section includes procedures for configuring System Logging and Remote System Logging.

System Logging configures if Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. sends these logs:

Gaia syslog messages to its Check Point Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.
Gaia audit logs upon successful configuration to its Check Point Management Server
Gaia audit logs upon successful configuration to Gaia syslog facility

Remote System Logging configures a remote syslog server, to which Gaia sends its syslog messages.

Note - There are settings that you can configure only in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Configuring the System Logging

Step

Instructions

In the navigation tree, click System Management > System Logging.

In the System Logging section, select the applicable options:

Send Syslog messages to management server

Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server.

Default: Not selected

Note - You can configure this option in Gaia Clish with the "set syslog cplogs {on | off}" command.

Send audit logs to management server upon successful configuration

Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server.

Default: Selected

Note - You can configure this option in the Gaia Clish with the "set syslog mgmtauditlogs {on | off}" command.

Send audit logs to syslog upon successful configuration

Specifies if the Gaia saves the logs for configuration changes that authorized users make.

Otherwise, Gaia uses the default /var/log/messages file.

Default: Selected

To specify a Gaia configuration audit log file, run this command:

set syslog filename /<Path>/<File>

Note - This option is configured in the Gaia Clish with the "set syslog auditlog {disable | permanent}" command.

Click Apply.

Configuring the Remote System Logging

Step	Instructions
1	In the navigation tree, click System Management > System Logging.
2	In the Remote System Logging section, click Add.
3	In the IP Address field, enter the IPv4 address of the remote syslog server.
4	In the Priority field, select the severity level of the logs that are sent to the remote server. These are the accepted values (as defined by the RFC 5424 - Section-6.2.1): All - All messages Debug - Debug-level messages Info - Informational messages Notice - Normal but significant condition Warning - Warning conditions Error - Error conditions Critical - Critical conditions Alert - Action must be taken immediately Emergency - System is unusable
5	Click OK.

Important - Do not to configure two Gaia computers to send system logs to each other - directly, or indirectly. Such configuration creates a syslog forwarding loop, which causes all syslog message to repeat indefinitely on both Gaia computer.

Editing the Remote System Logging settings

Step	Instructions
1	In the navigation tree, click System Management > System Logging.
2	In the Remote System Logging section, select the remote server.
3	Click Edit.
4	In the IP Address field, enter the IPv4 address of the remote syslog server.
5	In the Priority field, select the severity level of the logs that are sent to the remote server.
6	Click OK.

Deleting the Remote System Logging settings

Step	Instructions
1	In the navigation tree, click System Management > System Logging.
2	In the Remote System Logging section, select the remote syslog server.
3	Click Delete.
4	In the confirmation window, click Yes.

System Configuration Files

By default, Gaia OS saves the Syslog configuration in these files:

/etc/syslog.conf
/etc/sysconfig/syslog

If it is necessary to add specific settings manually in these files (that Gaia OS does not have), then it is necessary to make these files immutable, so Gaia OS does not overwrite them:

Connect to the command line on Gaia OS.
Log in to the Expert mode.
Edit the applicable Syslog configuration file as required in your environment.
Examine the current attributes on the applicable configuration file you edited:
- lsattr /etc/syslog.conf
- lsattr /etc/sysconfig/syslog
Add the immutable attribute on the applicable configuration file you edited:
- chattr +i /etc/syslog.conf
- chattr +i /etc/sysconfig/syslog
Examine the current attributes on the applicable configuration file you edited:
- lsattr /etc/syslog.conf
- lsattr /etc/sysconfig/syslog

Restart the Syslog service:

service syslog restart

Warning - While the Syslog configuration files are immutable:

Gaia OS cannot save the changes in the Syslog configuration you make in Gaia Portal Web interface for the Check Point Gaia operating system. or Gaia Clish.
Gaia OS cannot restore a Gaia Backup.

To remove the immutable attribute from a file, use this command:

chattr -i <file>