Working with Syslog Servers

Introduction

Syslog (System Logging Protocol) is a standard protocol used to send system log or eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. messages to a specific server, the syslog server.

The syslog protocol is enabled on most network devices, such as routers and switches.

Syslog is used by many log analysis tools. If you want to use these tools, make sure Check Point logs are sent to from the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to the syslog server in syslog format.

Check Point supports these syslog protocols: RFC 3164 (old) and RFC 5424 (new).

These features are not supported: IPv6 logs and Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. logs.

Configuring Security Gateways

By default, Security Gateway logs are sent to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

You can configure Security Gateways to send logs directly to syslog servers.

Important - Syslog is not an encrypted protocol. Make sure the Security Gateway and the Log Proxy are located close to each other and that they communicate over a secure network.

Procedure

  1. Define syslog server objects in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. Select the configured syslog server objects in the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

  3. Configure the logging properties of the Security Gateways / each Cluster Member.

    Note - In Cluster, you must configure each Cluster Member in the same way.

    The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature on Security Gateways:

    • Value 0 = Disabled (default)

    • Value 1 = Enabled

    You can enable or disable the Syslog in Kernel feature temporarily (until the Security Gateway reboots), or permanently (survives reboot).

Log Count for CoreXL Firewall Instances

You can see the current number of syslog logs sent by CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall Instances on the Security Gateway / each Cluster Member.

For more on syslog, see: Appendix: Manual Syslog Parsing.