Working with Syslog Servers
Introduction
Syslog (System Logging Protocol) is a standard protocol used to send system log or event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. messages to a specific server, the syslog server.
The syslog protocol is enabled on most network devices, such as routers and switches.
Syslog is used by many log analysis tools. If you want to use these tools, make sure Check Point logs are sent to from the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to the syslog server in syslog format.
Check Point supports these syslog protocols: RFC 3164 (old) and RFC 5424 (new).
These features are not supported: IPv6 logs and Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. logs.
Configuring Security Gateways
By default, Security Gateway logs are sent to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
You can configure Security Gateways to send logs directly to syslog servers.
Important - Syslog is not an encrypted protocol. Make sure the Security Gateway and the Log Proxy are located close to each other and that they communicate over a secure network.
Procedure
-
Define syslog server objects in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
Instructions-
Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
-
From the left navigation panel, click Gateways & Servers.
-
Create the Host object that represents the Syslog server host.
-
In the Object Explorer, click New > Host.
-
Configure these fields:
-
Name - Enter a unique name.
-
IPv4 address - Enter the correct IPv4 address of the syslog server.
-
IPv6 address - Optional: Enter the correct IPv6 address of the syslog server. This requires the IPv6 Support be enabled on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster..
-
-
Click OK.
-
-
Create the Syslog Server object that represents the Syslog server:
-
In the Object Explorer, click New > Server > More > Syslog.
-
Configure these fields:
-
Name - Enter a unique name.
-
Host - Select an existing host or click New to define a new computer or appliance.
-
Port - Enter the correct port number on the syslog server (default = 514).
-
Version - Select BSD Protocol or Syslog Protocol.
-
-
Click OK.
-
-
Close the Object Explorer.
-
-
Select the configured syslog server objects in the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.
Instructions-
Double-click the Security Gateway object.
-
From the left tree, click Logs.
-
In the Send logs and alerts to these log servers table, click the green (+) button to select the Syslog Server object(s) you configured earlier.
Notes:
-
You can configure a Security Gateway / Cluster Member to send logs to multiple syslog servers.
All syslog servers selected in the Security Gateway / Cluster object must use the same protocol version: BSD Protocol or Syslog Protocol.
-
You cannot configure a Syslog server as a backup server.
-
-
Click OK.
-
Install policy.
-
-
Configure the logging properties of the Security Gateways / each Cluster Member.
Note - In Cluster, you must configure each Cluster Member in the same way.
The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature on Security Gateways:
-
Value 0 = Disabled (default)
-
Value 1 = Enabled
You can enable or disable the Syslog in Kernel feature temporarily (until the Security Gateway reboots), or permanently (survives reboot).
To see the current state of the Syslog in Kernel feature-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
fw ctl get int fwsyslog_enable
Output:
-
"
fwsyslog_enable = 0
" means the feature is disabled (default) -
"
fwsyslog_enable = 1
" means the feature is enabled
-
To enable the Syslog in Kernel feature temporarily (does not survive reboot)-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
fw ctl set int fwsyslog_enable 1
-
In SmartConsole, install policy on this Security Gateway / Cluster object.
To enable the Syslog in Kernel feature permanently (survives reboot)-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Edit the
$FWDIR/boot/modules/fwkern.conf
file:vi $FWDIR/boot/modules/fwkern.conf
-
Add this line:
fwsyslog_enable=1
-
Save the changes in the file and exit the editor.
-
Reboot the Security Gateway / each Cluster Member.
To disable the Syslog in Kernel feature temporarily (does not survive reboot)-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
fw ctl set int fwsyslog_enable 0
To disable the Syslog in Kernel feature permanently (survives reboot)-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Edit the
$FWDIR/boot/modules/fwkern.conf
file:vi $FWDIR/boot/modules/fwkern.conf
-
Do one of these actions:
-
Set the value of the kernel parameter to 0:
fwsyslog_enable=0
-
Delete the entire line:
fwsyslog_enable=1
-
-
Save the changes in the file and exit the editor.
-
Reboot the Security Gateway / each Cluster Member.
-
Log Count for CoreXL Firewall Instances
You can see the current number of syslog logs sent by CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall Instances on the Security Gateway / each Cluster Member.
-
Connect to the command line on the Security Gateway / each Cluster Member.
-
Log in to the Expert mode.
-
Run:
fw -i <CoreXL Firewall Instance Number> ctl get fwsyslog_nlogs_counter
Sample output:
fwsyslog_nlogs_counter = 21
-
Make two command line connections to the Security Gateway / each Cluster Member.
-
In each command line connection, log in to the Expert mode.
-
In the first shell, run:
fw ctl zdebug | grep logs
-
In the second shell, run:
fw ctl set int fwsyslog_print_counter 1
-
In the first shell, see the counter for each CoreXL Firewall instance and the sum of all CoreXL Firewall instances.
Sample output:
;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;
;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;
;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;
;[cpu_2];[fw4_0];Total logs sent from kernel (all instances) = 132;
-
In the first shell, press CTRL+C to stop the debug.
For more on syslog, see: Appendix: Manual Syslog Parsing.