Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »


Overview


Check Point "Log Exporter" is an easy and secure method for exporting Check Point logs over the Syslog protocol.


Prerequisite


$FWDIR/state/SEAM/local.cplogtosyslog_policy.C


Check_Point_CPLogToSyslog_R80.10_GA_jhf_T56_FULL.tgz


Check_Point_CPLogToSyslog_R80.tgz


Check_Point_CPLogToSyslog_R80_JUMBO_HF_T76.tgz


Check_Point_CPLogToSyslog_R77.30.tgz


Check_Point_CPLogToSyslog_R77_30_Jumbo_HF_T205.tgz


Check_Point_CPLogToSyslog_R77_30_Jumbo_HF_T216.tgz


Check_Point_CPLogToSyslog_R77.20.tgz

Check_Point_CPLogToSyslog_R77.10.tgz


cpstop ; cpstart



cpstop ; cpstart



*.info;mail.none;authpriv.none;cron.none /var/log/messages


*.* /var/log/messages

CPLogToSyslog


mdsenv <Name or IP of Domain Management Server>



$FWDIR/state/SEAM/local.cplogtosyslog_policy.C

Steps


mdsenv <Name or IP of Domain Management Server>


(
:customers ()
:events_detectors (
:Red_EventsDetector ("{01C36C58-35AF-4b65-A277-01F74E56E552}")
)
:data_types (
:lea_audit_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
:lea_log_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")


)
:events_distributor (
:CLSID ("{CD6872DE-10A2-4632-B9F3-714E3CE9A0A6}")
:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("syslog server control")
:server_id (1)
:port (514)
:protocol (udp)
)
: (
:ip_addr ("192.168.100.1")
:server_name ("syslog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)
)
:jobs (
:"All online jobs" ("{42DC9EE4-1529-4cb4-B4D9-E850AA328EDA}"
:job_is_online (true)
:job_is_canceled (false)
:detectors_instances (
:Red_EventsDetector ("{F42EE20C-CB81-4FDA-B6E8-AC916156C368}"
:instance_is_online (true)
:run_in_main_thread (true)
:input_sessions (
:lea_log_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.0.1)
:port (18184)
:logtrack (LEA_CURRENT_NORMAL_FILEID)
:iS_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (false)
:save_marker_interval (600)
)
)
:events_detecting_policy (
:global_parameters (
:garbage_collector_interval (60)
:max_vm_size (1000000)
:time_mode (os_time)
)
:rulebase (
: (ctrl_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A8D971}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)
:field_value (control)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)
: (log_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A83973}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)


:field_value (log)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (5)
:facility (6)
:add_time_stamp (true)
:host_name ("Log host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Log type log")
:server_id (2)
)
:create_for_all_detector_instances (false)
)
)
)
)
)
)
)
)


[Expert@HostName:0]# cp -v $FWDIR/state/SEAM/local.cplogtosyslog_policy.C{,_ORIGINAL}



[Expert@HostName:0]# vi $FWDIR/state/SEAM/local.cplogtosyslog_policy.C



[Expert@HostName:0]# dos2unix $FWDIR/state/SEAM/local.cplogtosyslog_policy.C



:data_types (
:lea_audit_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
:lea_log_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
)


:input_sessions (
:lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.100.10)
:port (18184)
:logtrack (LEA_CURRENT_AUDIT_FILEID)
:is_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (true)
:save_marker_interval (10)
)
)

ip_addr


support_marker
true
false

save_marker_interval



:input_sessions (
:lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.100.10)
:port (18184)
:logtrack (LEA_CURRENT_AUDIT_FILEID)
:is_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (true)
:save_marker_interval (10)
)
)



:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("sysLog server control")
:server_id (1)
:port (514)
:protocol (udp)
)
: (
:ip_addr ("192.168.100.1")
:server_name ("sysLog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)



ip_addr

server_name

server_id


port

protocol



:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("SysLog server Control")
:server_id (1)
:port (514

:protocol (udp)
)
: (
:ip_addr ("192.168.100.2")
:server_name ("SysLog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)



:rulebase (
: (ctrl_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A8D971}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)
:field_value (control)
)
)
:event_format (
:class_name (syslog_event_builder)
:sevirity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)



ctrl_type_filter

ruleID

active on off

filter Equal And Or
Equal
And Or


field_name



field_value

severity

facility

host_name

event_name

server_id




<16>Sun Mar 23 10:33:53 Log host CPLogToSyslog: 10:33:53 16386 accept 192.168.100.10 >vmxnet0
rule: 1; rule_uid: {CBA1863B-2B4F-4E59-A257-4CCFD6146C4C}; service_id: nbdatagram; src:
192.168.100.1; dst: 192.168.100.255; proto: 17; aba_customer: Default; date: 23Mar2012; hour:
10:33:53; type: log; Interface: < vmxnet0; product: VPN & FireWall; service: 138; s_port:
138;



ctrl_type_filter

ruleID


: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
... ...



: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Product)
:field_value ("Firewall")
)
:filter (Or
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.1)
)
)
:filter (And
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.2)
)
: (And
: (Equal
:field_name (service)



:field_value (80)
)
: (Equal
:field_name (Proto)
:field_value (6)
)
)
)
... ...



: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Product)
:field_value ("Firewall")
)
:filter (Or
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.1)
)
)
:filter (And
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.2)
)
: (And
: (Equal
:field_name (service)
:field_value (80)
)
: (Equal
:field_name (Proto)
:field_value (6)
)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)


field_name





CPLogToSyslog



[Expert@HostName:0]# mdsenv <Name or IP address of Domain Management Server>



[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data{,_ORIGINAL}



[Expert@HostName:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 "CPLogToSysLog" 4 1 1



[Expert@HostName:0]# grep CPLogToSysLog $CPDIR/registry/HKLM_registry.data



[Expert@HostName:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 "CPLogToSysLog" 4 0 1



[Expert@HostName:0]# grep CPLogToSysLog $CPDIR/registry/HKLM_registry.data



[Expert@HostName:0]# mdsenv <Name or IP address of Domain Management Server>



[Expert@HostName:0]# $FWDIR/bin/CPLogToSyslog &



[Expert@HostName:0]# ps auxw | egrep "PID|CPLogToSyslog"



cpwd_admin list CPLOGTOSYSLOG



https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...



  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com