Manual Syslog Parsing

To parse a syslog file:

  1. Create a new parsing file called <device product name>.C.

  2. Put this file in the directory $FWDIR/conf/syslog/UserDefined on the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs..

  3. On the Log Server, edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C to add a line that includes the new parsing file. For example:

    : (
                :command (
                      :cmd_name (include)
                      :file_name ("snortPolicy.C")
                )
          )

  4. Optional: If required.

    1. Create a new dictionary file called <device product name>_dict.ini. See Dictionary.

    2. Put it in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.

      A dictionary translates values with the same meaning from logs from different devices into a common value. This common value is used in the EventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Definitions.

    3. Edit the file $FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C on the Log Server.

    4. Add a line to include the dictionary file. For example:

      :filename ("snort_dict.ini")

  5. To examine the parsing, send syslog samples to a Check Point Log Server.

To send syslog samples:

  1. To configure the Log Server to accept syslogs, connect to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. In Logs and Masters > Additional Logging Configuration, enable the property Accept Syslog messages.

  3. Edit the Log Server network object.

  4. Run the commands cpstop & cpstart, or fw kill fwd & fwd -n.

    The fwd procedure on the Log Server restarts.

  5. Send syslogs from the device itself, or from a syslog generator.

    For example: Kiwi Syslog Message Generator, available at http://www.kiwisyslog.com/software_downloads.htm#sysloggen.

Troubleshooting:

If SmartConsole does not show the logs as expected, there can be problems with the parsing files:

  • If there is a syntax error in the parsing files, an error message shows. To read a specified error message, set the TDERROR_ALL_FTPARSER value to 5 before you run the procedure fwd -n.

  • If the syslogs show in SmartConsole with 'Product syslog', the log was not parsed properly, but as a general syslog.

  • If the Product field contains another product (not the one you have just added) this means there is a problem with the other product parsing file. ReportClosed Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. this to the Check Point SmartEvent team.

  • If the product reports correctly in the log, look for all the fields you extracted. Some of them are in the Information section. Some fields can be seen only when you select More Columns.