June 3, 2011

Send checkpoint logs to a remote syslog server

To configure the Provider-1 to send logs to a remote syslog server, follow the instructions from this solution: sk33423.


Proceed as follows:

  1. On the SmartCenter server edit the /etc/syslog.conf file and add the following line:

    local4.info <TAB> @IP_OF_REMOTE_BOX

  2. Add the following line to the end/bottom /etc/rc.d/init.d/cpboot file, to be executed on boot up:

    fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall &


    • The '&' in the command syntax ensures that this command runs in the background. If the '&' is not included in the command, the OS stops at loading the syslogd service and you never get a login prompt at the console.

    • On Provider-1, you must run this step from the CMA environment.

  3. Reboot.

Note: cpstop/cpstart is insufficient to make this work.

To the Notes there is an important information: for Provider-1, you should issue this command from the environment of the specific customer:

mdsenv customer_cma

fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall &

The syslog that I use is syslog-ng (on red Hat). Be sure you permit the communication between the host and server, for port UDP 514.

Checkpoint recommend reboot, but after reboot I didn't have the process "logger" started, so I started it manually and it worked. So, for this, paste this command in command line:

fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall &

The word "Firewall" can be changed with the name of the customer.

For syslog forwarding, check this: sk34680.

If you configure many clients (with tag Firewall1 and Firewall2) on Provider-1 to send syslog to one server, you will notice that you have only one big file with all logs. For this you need on your syslog server some filters for every client. This should be done this way in syslog-ng.conf:

source s_all { udp(); };

destination firewall1{ file("/home/logs/IP_firewall1/$YEAR/$MONTH/$DAY.log" owner("root") group("root") perm(0644) dir_perm(0755) create_dirs(yes)); };

filter f_firewall1 { match("Firewall1"); };

filter f_checkpoint { (netmask(x.x.x.x/32)); }; //IP of your Provider-1 server

log { source(s_all); filter (f_checkpoint) ; filter(f_firewall1); destination(firewall1); };

Do not forget to create manually the directory:

mkdir /home/logs/IP_firewall1/2011/06

To forward the logs from syslog-ng to another syslog server (remote):

destination remote { udp("" port(514)); };

log { source(s_udp); filter (f_checkpoint) ; filter(f_firewall1); destination(remote); };

The logs will be forwarded with the source IP of Provider-1 server (not the intermediary syslog-ng server).

No comments:

Post a Comment

Insert your message here