Configuring System Logging in Gaia Clish

Description

You can configure the System Logging and Remote System Logging.

System Logging configures the Gaia to sends these logs:

  • Gaia syslog messages to its Check Point Management Server

  • Gaia audit logs upon successful configuration to its Check Point Management Server

  • Gaia audit logs upon successful configuration to Gaia syslog facility

Remote System Logging configures a remote server, to which Gaia sends its syslog messages.

Note - There are some command options and parameters, which you cannot configure in the Gaia Portal.

Important:

  • Do not configure two Gaia servers to send system logs to each other - directly, or indirectly.

    Such configuration creates a syslog forwarding loop, which causes all syslog messages to repeat indefinitely on both Gaia servers.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

  • After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

Syntax to Show the Remote Syslog Settings

show syslog

      all

      auditlog

      cplogs

      dmesg [search "<String>"]

      enabled-ip

      filename

      log-remote-address <Syslog Server>

      log-remote-addresses

      logs [search "<String>"]

      mgmtauditlogs

      tls-configuration

      uncompressmessages

Command

Description

show syslog all

Shows all settings for the remote system logging.

show syslog auditlog

Shows the settings for the remote system logging - only the mode for the audit logs.

show syslog cplogs

Shows the settings for the remote system logging - only the setting for sending syslog messages in Check Point logs.

show syslog dmesg [search "<String>"]

Shows the messages from the DMESG ring buffer.

You can filter the output by a word or a string (case insensitive).

show syslog enabled-ip

Shows the settings for the remote system logging - only the setting for showing the client IP address in logs.

show syslog filename

Shows the settings for the remote system logging - only the name of the main log file.

Default: /var/log/messages

show syslog log-remote-address <Syslog Server>

Shows the settings for the remote system logging - all settings for the specified remote syslog server.

show syslog log-remote-addresses

Shows the settings for the remote system logging - a summary table for all configured remote syslog servers.

show syslog logs [search "<String>"]

Shows the messages from the main log file.

You can filter the output by a word or a string (case insensitive).

show syslog mgmtauditlogs

Shows the settings for the remote system logging - only the setting for the sending the audit log messages to the Check Point Management Server.

show syslog tls-configuration

Shows the settings for the remote system logging - only the paths to the uploaded certificate file, public key file, and private key file.

show syslog uncompressmessages

Shows the settings for the remote system logging - only the mode of the line uncompression.

Syntax to Add the Remote Syslog Settings

add syslog

      log-remote-address {<IPv4 Address> | <IPv6 Address> | <Hostname>}

            level <Logging Level>

            [port <Port>]

            [protocol {tcp | udp}]

            [queuing-mechanism {on | off}]

      log-remote-address-with-tls {<IPv4 Address> | <IPv6 Address> | <Hostname>}

            level <Logging Level>

            [port <Port>]

            auth-mode

                  anon

                  certvalid

                  fingerprint permitted-peers <SHA1 of Fingerprint>

                  name permitted-peers <Common Name (CN)>

            [queuing-mechanism {on | off}]

Commands and Parameters

Description

add syslog log-remote-address

Configures a new remote syslog server without the TLS encryption for sent logs.

add syslog log-remote-address-with-tls

Configures a new remote syslog server with the TLS encryption for sent logs.

<IPv4 Address>

Specifies the IPv4 address of the remote syslog server.

<IPv6 Address>

Specifies the IPv6 address of the remote syslog server.

<Hostname>

Specifies the hostname of the remote syslog server.

Gaia OS must be able to resolve this hostname.

You can configure an FQDN that your DNS server can resolve.

You can configure a static host entry - see Hosts.

level <Logging Level>

Specifies the severity level of the logs that are sent to the remote syslog server.

These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):

  • alert - Action must be taken immediately

  • all - All messages

  • crit - Critical conditions

  • debug - Debug-level messages

  • emerg - System is unusable

  • error - Error conditions

  • info - Informational messages

  • notice - Normal but significant condition

  • warning - Warning conditions

port <Port>

Specifies the port number on the remote syslog server.

Range: 1-65535

Default: 514

protocol {tcp | udp}

Specifies the transfer protocol - TCP or UDP (default).

If you configure TLS, then protocol is TCP by default.

queuing-mechanism {on | off}

Specifies whether to enable (on) or disable (off, default) the queuing mechanism.

If you enable this feature, Gaia OS creates an on-disk queue.

If the remote syslog server is down, Gaia OS saves logs messages on a disk and sends them when it is up again

auth-mode

Specifies the TLS authentication mode:

  • auth-mode anon

    This mode uses the anonymous authentication.

  • auth-mode name permitted-peers <Common Name (CN)>

    The most secure mode out of available modes.

    This mode uses the certificate validation and subject name authentication.

    You must specify the Common Name (CN) of the remote syslog server.

    To configure several values, separate then with commas.

  • auth-mode fingerprint permitted-peers <SHA1 of Fingerprint>

    This mode uses the fingerprint of the syslog server's certificate (which can be self-signed).

    You must specify the certificate fingerprint of the remote syslog server.

    To configure several values, separate then with commas.

  • auth-mode certvalid

    This mode uses only the syslog server's certificate validation and does not check the subject name.

Best Practice - Do not use the "anon" and "certvalid" modes because they are not secure enough.

Syntax to Configure the Existing Remote Syslog Settings

set syslog

      auditlog {disable | permanent}

      cplogs {on | off}

      enabled-ip {on | off}

      filename <Path to Log File>

      log-remote-address {<IPv4 Address> | <IPv6 Address> | <Hostname>}

            [level <Logging Level>]

            [port <Port>]

            [protocol {tcp | udp}]

            [queuing-mechanism {on | off}]

            tls-encryption on

                  auth-mode

                        anon

                        certvalid

                        fingerprint permitted-peers <SHA1 of Fingerprint>

                        name permitted-peers <Common Name (CN)>

      log-remote-address-with-tls {<IPv4 Address> | <IPv6 Address> | <Hostname>}

            [level <Logging Level>]

            [permitted-peers <SHA1 of Fingerprint, or Common Name (CN)>]

            [port <Port>]

            [queuing-mechanism {on | off}]

            tls-encryption off

      mgmtauditlogs {on | off}

      tls-configuration

            ca-cert <Path to Certificate File>

            private-key <Path to Private Key File>

            public-key <Path to Public Key File>

      uncompressmessages {on | off}

Commands and Parameters

Description

set syslog auditlog {disable | permanent}

Specifies whether to send logs for Gaia OS configuration changes made by authorized users.

  • disabled

    Does not send logs for Gaia OS configuration changes (this is the default).

  • permanent

    Sends logs for all successful Gaia OS configuration changes.

    To specify a destination file, run the set syslog filename </Path/File> command (otherwise, Gaia uses the default /var/log/messages file).

Note - This command corresponds to the Send audit logs to syslog upon successful configuration option in the Gaia Portal > System Management > System Logging.

set syslog cplogs {on | off}

Specifies whether to send (on) or not to send (off, default) syslog messages in Check Point logs.

set syslog enabled-ip {on | off}

Specifies whether to send (on) or not to send (off, default) the client IP address in logs.

set syslog filename <Path to Log File>

Configures the path and the name of the main log file.

Default: /var/log/messages

set syslog log-remote-address

Configures an existing remote syslog server without the TLS encryption for sent logs.

set syslog log-remote-address-with-tls

Configures an existing remote syslog server with the TLS encryption for sent logs.

set syslog mgmtauditlogs {on | off}

Specifies whether to send(on, default) or not to send (off) the audit logs to the Check Point Management Server.

Note - This command corresponds to the Send Syslog messages to management server option in the Gaia Portal > System Management > System Logging.

set syslog tls-configuration <Parameters>

Important - Before you run this command, you must upload the required files to the Gaia server - the required public key, private key, and certificate files for your Syslog server. Each file must be in the PEM or CRT format.

Configures the paths to the required files for TLS authentication:

  • tls-configuration ca-cert <Path to Certificate File>

  • tls-configuration private-key <Path to Private Key File>

  • tls-configuration public-key <Path to Public Key File>

set syslog uncompressmessages {on | off}

Specifies whether to enable (on) or disable (off, default) the compression of the repeating lines:

  • on - Disables the line compression.

  • off - Enables the line compression (this is the default).

<IPv4 Address>

Specifies the IPv4 address of the remote syslog server.

<IPv6 Address>

Specifies the IPv6 address of the remote syslog server.

<Hostname>

Specifies the hostname of the remote syslog server.

Gaia OS must be able to resolve this hostname.

You can configure an FQDN that your DNS server can resolve.

You can configure a static host entry - see Hosts.

level <Logging Level>

Specifies the severity level of the logs that are sent to the remote syslog server.

These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):

  • alert - Action must be taken immediately

  • all - All messages

  • crit - Critical conditions

  • debug - Debug-level messages

  • emerg - System is unusable

  • error - Error conditions

  • info - Informational messages

  • notice - Normal but significant condition

  • warning - Warning conditions

Notes:

  • Until you configure at least one severity level for a given remote syslog server, Gaia does not send syslog messages.

  • If you specify multiple severities, the least severe severity always takes precedence.

port <Port>

Specifies the port number on the remote syslog server.

Range: 1-65535

Default: 514

protocol {tcp | udp}

Specifies the transfer protocol - TCP or UDP (default).

If you configure TLS, then protocol is TCP by default.

queuing-mechanism {on | off}

Specifies whether to enable (on) or disable (off, default) the queuing mechanism.

If you enable this feature, Gaia OS creates an on-disk queue.

If the remote syslog server is down, Gaia OS saves logs messages on a disk and sends them when it is up again

auth-mode

Specifies the TLS authentication mode:

  • auth-mode anon

    This mode uses the anonymous authentication.

  • auth-mode name permitted-peers <Common Name (CN)>

    The most secure mode out of available modes.

    This mode uses the certificate validation and subject name authentication.

    You must specify the Common Name (CN) of the remote syslog server.

    To configure several values, separate then with commas.

  • auth-mode fingerprint permitted-peers <SHA1 of Fingerprint>

    This mode uses the fingerprint of the syslog server's certificate (which can be self-signed).

    You must specify the certificate fingerprint of the remote syslog server.

    To configure several values, separate then with commas.

  • auth-mode certvalid

    This mode uses only the syslog server's certificate validation and does not check the subject name.

Best Practice - Do not use the "anon" and "certvalid" modes because they are not secure enough.

Syntax to Delete the Existing Remote Syslog Settings

delete syslog tls-configuration
      ca-cert
      private-key
      public-key

Command

Description

delete syslog tls-configuration ca-cert

Deletes the configured path for the TLS certificate file.

delete syslog tls-configuration private-key

Deletes the configured path for the TLS private key file.

delete syslog tls-configuration public-key

Deletes the configured path for the TLS public key file.

Example

gaia> set syslog auditlog permanent
 
gaia> set syslog filename /var/log/system_logs.txt
 
gaia> set syslog mgmtauditlogs on
 
gaia> set syslog cplogs on
 
gaia> set syslog log-remote-address 192.168.2.1 level all
 
gaia> show syslog all
Syslog Parameters:
    Remote Address 192.168.2.1
        Levels all
    Auditlog permanent
    Destination Log Filename /var/log/system_logs.txt
gaia>
 
gaia>show syslog auditlog
permanent
gaia>
 
gaia> show syslog cplogs
Sending syslog syslogs to Check Point's logs is enabled
gaia>
 
gaia> show syslog mgmtauditlogs
Sending audit logs to Management Serever is enabled
gaia>
 
gaia> show syslog filename
/var/log/system_logs.txt
gaia>

Syslog configuration files

By default, Gaia Operating System saves the Syslog configuration in these files:

  • /etc/rsyslog.conf

  • /etc/sysconfig/rsyslog

If it is necessary to add specific settings manually in these files (that Gaia OS does not have), then it is necessary to make these files immutable, so Gaia OS does not overwrite them:

  1. Connect to the command line on Gaia OS.

  2. Log in to the Expert mode.

  3. Edit the applicable Syslog configuration file as required in your environment.

  4. Examine the current attributes on the applicable configuration file you edited:

    • lsattr /etc/rsyslog.conf

    • lsattr /etc/sysconfig/rsyslog

  5. Add the immutable attribute on the applicable configuration file you edited:

    • chattr +i /etc/rsyslog.conf

    • chattr +i /etc/sysconfig/rsyslog

  6. Examine the current attributes on the applicable configuration file you edited:

    • lsattr /etc/rsyslog.conf

    • lsattr /etc/sysconfig/rsyslog

  7. Restart the Syslog service:

    service rsyslog restart

Warning - While the Syslog configuration files are immutable:

  • Gaia OS cannot save the changes in the Syslog configuration you make in Gaia Portal or Gaia Clish.

  • Gaia OS cannot restore a Gaia Backup.

To remove the immutable attribute from a file, use this command:

chattr -i <file>