Configuring External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check Point Log Server

You can use an external Check Point Log Server that is managed by a Security Management Server for storing additional logs.

Use cases for an external Check Point Log Server:

  • Extend the log retention time. For example, currently, when your gateway is managed by SMP, you can retain logs for 3 months. If you configure an external Log Server, you can retain the logs for a year.

  • Export the logs format to a 3rd party mechanism for data mining.

Do these steps before you configure an external Check Point Log Server from this page in the WebUI:

  1. Identify the Log Server you want to send logs to.

  2. Identify the Security Management Server that manages the Log Server.

  3. Open SmartConsole on this Security Management Server.

  4. Run the Security Gateway wizard to define and create a Security Gateway object that represents this appliance with the these details:

    In the General Properties window, select:

    • Gateway platform - Select your appliance

    • Gateway IP address - Dynamic IP address

    In the Trusted Communication window, from Gateway Identifier select MAC address or First to connect.

  5. Install the database on the Security Management Server and other related objects.

To configure an external Check Point Log Server:

  1. Under Check Point Log Server, click Configure.

    The External Check Point Log Server window opens.

  2. Enter the Management Server IP address.

    This IP address is used only to establish trusted communication between the appliance and the Security Management Server.

  3. In SIC name, enter the SIC name of the lLog Server object defined in SmartConsole.

    These are the options to get this name:

    • Option 1:

      1. Connect with GuiDBedit Tool (see sk13009) to the Security Management Server.

      2. From the Tables tab, expand Table > Network Objects.

      3. In the right pane, locate the Log Server object.

      4. In the bottom pane, locate sic_name.

    • Option 2:

      Run this CLI command on the Log Server in the Expert mode (use SSH or console connection):

      $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

    Copy the SIC name value and paste it into the SIC name field on this page.

  4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field.

    Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ Maximum number of characters: 255

  5. If the Log Server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.

  6. Click Apply.

    Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartConsole. If you do not reinitialize SIC in SmartConsole, connectivity to the log server can fail.

To configure a new external Check Point Log Server when the gateway is connected to SMP (Cloud):

After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs. For more information, see sk145614.

External Syslog Server Configuration

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

  1. Under Syslog Servers, click Configure.

    The External Syslog Server window opens.

  2. Select Protocol:

    • TLS Over TCP (secured) - Send system logs from gateways in a secured and encrypted fashion.

    • UDP - Send security logs or system logs (not secured).

  3. Enter a Name and IP address.

  4. Enter a Port number.

  5. Select Enable log server.

  6. Optional - Select Show Obfuscated Fields. Obfuscated packets are shown as plain text.

  7. Select logs to forward:

    • System logs

    • Security logs

    • Both system and security logs

    Note - When you select TLS Over TCP, you can only forward system logs. Security logs are not supported.

  8. Click Apply.

Secured Syslog

Use Case

A system administrator wants to send system logs from the organization's gateways in a secured and encrypted fashion. Therefore, he selects TLS Over TCP as the protocol. UDP is not secure.

Notes:

  • Only one remote TLS server is supported.

  • The server CA must be trusted by Check Point.

  • The TLS server must be configured using its domain name. Only UDP allows you to configure the server by IP address.

  • The configured domain name must be identical to the domain name in the server's certificate.

  • Only system logs are supported.

To configure additional syslog servers:

Click Add Syslog Server.

To send security logs to syslog servers:

When you configure the log server, for Protocol select UDP.

Note - The security logs show in the syslog format, not in the security logs format.

To edit the external syslog server:

  1. Click the Edit link next to the server's IP address.

  2. Edit the necessary information.

  3. Click Apply.

Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.

To delete the external syslog server:

  1. Select the syslog server.

  2. Click Delete.

    The server is deleted.