Configuring External Log Servers

The Logs & Monitoring > Log Servers page lets you configure external log servers for security and system logs for additional logging storage.

Note - You cannot configure external log servers when Cloud Services is turned on.

External Check PointLog Server

You can use an external Check PointLog Server that is managed by a Security Management Server for storing additional logs.

Use cases for an external Check PointLog Server:

  • Extend the log retention time. For example, currently, when your gateway is managed by SMP, you can retain logs for 3 months. If you configure an external Log Server, you can retain the logs for a year.

  • Export the logs format to a 3rd party mechanism for data mining.

Do these steps before you configure an external Check PointLog Server from this page in the WebUI:

  1. Identify the Log Server you want to send logs to.

  2. Identify the Security Management Server that manages the Log Server.

  3. Open SmartConsole on this Security Management Server.

  4. Run the Security Gateway wizard to define and create a Security Gateway object that represents this Check Point Appliance with the these details:

    In the General Properties window, select:

    • Gateway platform - Select your appliance

    • Gateway IP address - Dynamic IP address

    In the Trusted Communication window, from Gateway Identifier select MAC address or First to connect.

  5. Install the database on the Security Management Server and other related objects.

To configure an external Check Point log server:

  1. Under Check PointLog Server, click Configure.

    The External Check PointLog Server window opens.

  2. Enter the Management Server IP address. This IP address is used only to establish trusted communication between the Check Point Appliance and the Security Management Server.

  3. In SIC name, enter the SIC name of the lLog Server object defined in SmartConsole. To get this name:

    • Connect with GuiDBedit Tool (see sk13009) to the Security Management Server - From the Tables tab, expand Table > Network Objects. In the right pane, locate the Log Server object. In the bottom pane, locate sic_name.

      or

    • Run this CLI command on the Log Server (use SSH or console connection):

      $CPDIR/bin/cpprod_util CPPROD_GetValue SIC MySICname 0

    Copy the SIC name value and paste it into the SIC name field on this page.

  4. In Set SIC One-time Password, enter the same password that was entered for the Security Management Server and then enter it again in the Confirm SIC One-time Password field. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \

  5. If the Log Server is not located on the Security Management Server, select Log server uses different IP address and enter the IP address.

  6. Click Apply.

    Important - After successful configuration of the external log server, any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartConsole. If you do not reinitialize SIC in SmartConsole, connectivity to the log server can fail.

To configure a new external Check PointLog Server when the gateway is connected to SMP (Cloud):

  1. In the WebUI, connect to Cloud Services.

  2. Go to Logs and Monitoring > External Log Server.

  3. Click New to add a new Log Server.

  4. In the Add External Log Server window, enter the IP address and the SIC name of the Log Server.

  5. Click Apply.

  6. To fetch the policy from the cloud, go to Home > Cloud Services and click Fetch now.

After you initiate traffic from resources behind the gateway, open the Check PointLog Server to verify that you see the logs. For more information, see sk145614.

External Syslog Server Configuration

You can configure a gateway to send logs to multiple external syslog servers.

To configure an external syslog server:

  1. Under Syslog Servers, click Configure.

    The External Syslog Server window opens.

  2. Enter a Name and IP address.

  3. Enter a Port.

  4. Select Enable log server.

  5. Optional - Select Show Obfuscated Fields. Obfuscated packets are shown as plain text.

  6. Select logs to forward:

    • System logs

    • Security logs

    • Both system and security logs

  7. Click Apply.

To configure additional syslog servers:

Click Add Syslog Server.

You can send security logs to syslog servers. The security logs show in the syslog format, not in the security logs format.

To edit the external syslog server:

  1. Click the Edit link next to the server's IP address.

  2. Edit the necessary information.

  3. Click Apply.

Note - When more than one server is defined, the syslog servers show in a table. Select the syslog server you want to edit and click Edit.

To delete the external syslog server:

  1. Select the syslog server.

  2. Click Delete.

    The server is deleted.