Importing Syslog Messages

Many third-party devices use the syslog format for logging. The Log Server Dedicated Check Point server that runs Check Point software to store and process logs. reformats the raw data to the Check Point log format to process third-party syslog messages.

The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.

To import syslog messages, define your own syslog parser and install it on the Log Server.

SmartEvent can take the reformatted logs and convert them into security events.

To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:

Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.

After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. (and other OPSEC LEA clients), as other Check Point logs. SmartEvent converts the syslog messages into security events.

To configure the SmartEvent Server to read logs from this Log Server:

Configure SmartEvent to read logs from the Log Server.
In SmartEvent or in the SmartConsole event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. views, make a query to filter by the Product Name field. This field uniquely identifies the events that are created from the syslog messages.