Configuring System Logging in Gaia Portal

This section includes procedures for configuring System Logging and Remote System Logging.

System Logging configures if Gaia sends these logs:

  • Gaia syslog messages to its Check Point Management Server

  • Gaia audit logs upon successful configuration to its Check Point Management Server

  • Gaia audit logs upon successful configuration to Gaia syslog facility

Remote System Logging configures a remote syslog server, to which Gaia sends its syslog messages.

Note - There are settings that you can configure only in Gaia Clish.

Important:

  • Do not configure two Gaia servers to send system logs to each other - directly, or indirectly.

    Such configuration creates a syslog forwarding loop, which causes all syslog messages to repeat indefinitely on both Gaia servers.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

Step

Instructions

1

In the navigation tree, click System Management > System Logging.

2

In the System Logging section, select the applicable options:

 

  • Send Syslog messages to management server

    Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server.

    Default: Not selected

    Note - You can configure this option in Gaia Clish with the "set syslog cplogs {on | off}" command.

 

  • Send audit logs to management server upon successful configuration

    Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server.

    Default: Selected

    Note - You can configure this option in the Gaia Clish with the "set syslog mgmtauditlogs {on | off}" command.

 

  • Send audit logs to syslog upon successful configuration

    Specifies if the Gaia saves the logs for configuration changes that authorized users make.

    Otherwise, Gaia uses the default /var/log/messages file.

    Default: Selected

    To specify a Gaia configuration audit log file, run this command:

    set syslog filename /<Path>/<File>

    Note - This option is configured in the Gaia Clish with the "set syslog auditlog {disable | permanent}" command.

3

Click Apply.

In this section, you upload the public key, private key, and certificate files that are necessary for the use of TLS for sending encrypted logs to a remote Syslog server. You configure the TLS settings in the Remote System Logging section.

Prerequisite: Create the required public key, private key, and certificate files for your Syslog server. Each file must be in the PEM or CRT format.

Step

Instructions

1

In the navigation tree, click System Management > System Logging.

2

Upload the certificate file:

  1. In the System TLS Configuration section, click Import.

  2. In the File Type field, select CA Certification.

  3. In the Select a file section, click Browse.

  4. Select the certificate file and click Open.

  5. Click Import.

3

Upload the public key file:

  1. In the System TLS Configuration section, click Import.

  2. In the File Type field, select Public Key.

  3. In the Select a file section, click Browse.

  4. Select the public key file and click Open.

  5. Click Import.

4

Upload the private key file:

  1. In the System TLS Configuration section, click Import.

  2. In the File Type field, select Private Key.

  3. In the Select a file section, click Browse.

  4. Select the private key file and click Open.

  5. Click Import.

Step

Instructions

1

In the navigation tree, click System Management > System Logging.

2

In the Remote System Logging section, click Add.

3

Configure the applicable address of the remote syslog server in one of these ways:

  • Select IPv4 and enter the IPv4 address of the remote syslog server.

  • Select IPv6 and enter the IPv6 address of the remote syslog server.

  • Select Hostname and enter the hostname of the remote syslog server.

    Gaia OS must be able to resolve this hostname.

    You can configure an FQDN that your DNS server can resolve.

    You can configure a static host entry - see Hosts.

4

In the Priority field, select the severity level of the logs that are sent to the remote syslog server.

These are the accepted values (as defined by the RFC 5424 - Section-6.2.1):

  • All - All messages

  • Debug - Debug-level messages

  • Info - Informational messages

  • Notice - Normal but significant condition

  • Warning - Warning conditions

  • Error - Error conditions

  • Critical - Critical conditions

  • Alert - Action must be taken immediately

  • Emergency - System is unusable

Notes:

  • Until you configure at least one severity level for a given remote syslog server, Gaia does not send syslog messages.

  • If you specify multiple severities, the least severe severity always takes precedence.

5

In the Port field, enter the applicable port number on the remote syslog server.

Range: 1-65535

Default: 514

6

In the Protocol field, select the applicable protocol - UDP or TCP.

Default: UDP

7

In the Queuing Mechanism field, select On to enable this feature.

If you enable this feature, Gaia OS creates an on-disk queue.

If the remote syslog server is down, Gaia OS saves logs messages on a disk and sends them when it is up again

8

In the TLS Encryption field, select On to enable this feature.

9

If you enabled the TLS Encryption, then in the Authentication Method field, select the applicable TLS authentication mode:

  • name

    The most secure mode out of available modes.

    This mode uses the certificate validation and subject name authentication.

    In the Permitted Peers field, enter the Common Name (CN) of the remote syslog server.

    To configure several values, separate then with commas.

  • fingerprint

    This mode uses the fingerprint of the syslog server's certificate (which can be self-signed).

    In the Permitted Peers field, enter the certificate fingerprint of the remote syslog server.

    To configure several values, separate then with commas.

  • certificate validation

    This mode uses only the syslog server's certificate validation and does not check the subject name.

  • anonymous

    This mode uses the anonymous authentication.

Best Practice - Do not use the certificate validation and anonymous modes because they are not secure enough.

10

Click OK.

Step

Instructions

1

In the navigation tree, click System Management > System Logging.

2

In the Remote System Logging section, select the remote server.

3

Click Edit.

4

Configure the required settings.

5

Click OK.

Step

Instructions

1

In the navigation tree, click System Management > System Logging.

2

In the Remote System Logging section, select the remote syslog server.

3

Click Delete.

4

In the confirmation window, click Yes.

By default, Gaia Operating System saves the Syslog configuration in these files:

  • /etc/rsyslog.conf

  • /etc/sysconfig/rsyslog

If it is necessary to add specific settings manually in these files (that Gaia OS does not have), then it is necessary to make these files immutable, so Gaia OS does not overwrite them:

  1. Connect to the command line on Gaia OS.

  2. Log in to the Expert mode.

  3. Edit the applicable Syslog configuration file as required in your environment.

  4. Examine the current attributes on the applicable configuration file you edited:

    • lsattr /etc/rsyslog.conf

    • lsattr /etc/sysconfig/rsyslog

  5. Add the immutable attribute on the applicable configuration file you edited:

    • chattr +i /etc/rsyslog.conf

    • chattr +i /etc/sysconfig/rsyslog

  6. Examine the current attributes on the applicable configuration file you edited:

    • lsattr /etc/rsyslog.conf

    • lsattr /etc/sysconfig/rsyslog

  7. Restart the Syslog service:

    service rsyslog restart

Warning - While the Syslog configuration files are immutable:

  • Gaia OS cannot save the changes in the Syslog configuration you make in Gaia Portal or Gaia Clish.

  • Gaia OS cannot restore a Gaia Backup.

To remove the immutable attribute from a file, use this command:

chattr -i <file>