Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

How to export Checkpoint logs to a syslog server using CPLogToSyslog

Owned by Customer Success & Engineering
Last updated: Jan 09, 2023




Overview


Check Point "Log Exporter" is an easy and secure method for exporting Check Point logs over the Syslog protocol.


Prerequisite


$FWDIR/state/SEAM/local.cplogtosyslog_policy.C


Check_Point_CPLogToSyslog_R80.10_GA_jhf_T56_FULL.tgz


Check_Point_CPLogToSyslog_R80.tgz


Check_Point_CPLogToSyslog_R80_JUMBO_HF_T76.tgz


Check_Point_CPLogToSyslog_R77.30.tgz


Check_Point_CPLogToSyslog_R77_30_Jumbo_HF_T205.tgz


Check_Point_CPLogToSyslog_R77_30_Jumbo_HF_T216.tgz


Check_Point_CPLogToSyslog_R77.20.tgz

Check_Point_CPLogToSyslog_R77.10.tgz


cpstop ; cpstart



cpstop ; cpstart



*.info;mail.none;authpriv.none;cron.none /var/log/messages


*.* /var/log/messages

CPLogToSyslog


mdsenv <Name or IP of Domain Management Server>



$FWDIR/state/SEAM/local.cplogtosyslog_policy.C

Steps


mdsenv <Name or IP of Domain Management Server>


(
:customers ()
:events_detectors (
:Red_EventsDetector ("{01C36C58-35AF-4b65-A277-01F74E56E552}")
)
:data_types (
:lea_audit_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
:lea_log_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")


)
:events_distributor (
:CLSID ("{CD6872DE-10A2-4632-B9F3-714E3CE9A0A6}")
:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("syslog server control")
:server_id (1)
:port (514)
:protocol (udp)
)
: (
:ip_addr ("192.168.100.1")
:server_name ("syslog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)
)
:jobs (
:"All online jobs" ("{42DC9EE4-1529-4cb4-B4D9-E850AA328EDA}"
:job_is_online (true)
:job_is_canceled (false)
:detectors_instances (
:Red_EventsDetector ("{F42EE20C-CB81-4FDA-B6E8-AC916156C368}"
:instance_is_online (true)
:run_in_main_thread (true)
:input_sessions (
:lea_log_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.0.1)
:port (18184)
:logtrack (LEA_CURRENT_NORMAL_FILEID)
:iS_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (false)
:save_marker_interval (600)
)
)
:events_detecting_policy (
:global_parameters (
:garbage_collector_interval (60)
:max_vm_size (1000000)
:time_mode (os_time)
)
:rulebase (
: (ctrl_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A8D971}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)
:field_value (control)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)
: (log_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A83973}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)


:field_value (log)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (5)
:facility (6)
:add_time_stamp (true)
:host_name ("Log host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Log type log")
:server_id (2)
)
:create_for_all_detector_instances (false)
)
)
)
)
)
)
)
)


[Expert@HostName:0]# cp -v $FWDIR/state/SEAM/local.cplogtosyslog_policy.C{,_ORIGINAL}



[Expert@HostName:0]# vi $FWDIR/state/SEAM/local.cplogtosyslog_policy.C



[Expert@HostName:0]# dos2unix $FWDIR/state/SEAM/local.cplogtosyslog_policy.C



:data_types (
:lea_audit_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
:lea_log_input_session ("{42296380-1671-4BA2-B66D-047D2B96E3BC}")
)


:input_sessions (
:lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.100.10)
:port (18184)
:logtrack (LEA_CURRENT_AUDIT_FILEID)
:is_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (true)
:save_marker_interval (10)
)
)

ip_addr


support_marker
true
false

save_marker_interval



:input_sessions (
:lea_audit_input_session ("{58281420-7DAA-47FD-BF27-6E64D0CAC844}"
:ip_addr (192.168.100.10)
:port (18184)
:logtrack (LEA_CURRENT_AUDIT_FILEID)
:is_auth_port (true)
:mode (LEA_ONLINE)
:startat (LEA_AT_END)
:filename ()
:support_marker (true)
:save_marker_interval (10)
)
)



:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("sysLog server control")
:server_id (1)
:port (514)
:protocol (udp)
)
: (
:ip_addr ("192.168.100.1")
:server_name ("sysLog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)



ip_addr

server_name

server_id


port

protocol



:syslog_servers (
: (
:ip_addr ("192.168.100.1")
:server_name ("SysLog server Control")
:server_id (1)
:port (514

:protocol (udp)
)
: (
:ip_addr ("192.168.100.2")
:server_name ("SysLog server Log")
:server_id (2)
:port (514)
:protocol (udp)
)
)



:rulebase (
: (ctrl_type_filter
:ruleID ("{F0461B27-6D0F-43f9-A9BF-639454A8D971}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Type)
:field_value (control)
)
)
:event_format (
:class_name (syslog_event_builder)
:sevirity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)



ctrl_type_filter

ruleID

active on off

filter Equal And Or
Equal
And Or


field_name



field_value

severity

facility

host_name

event_name

server_id




<16>Sun Mar 23 10:33:53 Log host CPLogToSyslog: 10:33:53 16386 accept 192.168.100.10 >vmxnet0
rule: 1; rule_uid: {CBA1863B-2B4F-4E59-A257-4CCFD6146C4C}; service_id: nbdatagram; src:
192.168.100.1; dst: 192.168.100.255; proto: 17; aba_customer: Default; date: 23Mar2012; hour:
10:33:53; type: log; Interface: < vmxnet0; product: VPN & FireWall; service: 138; s_port:
138;



ctrl_type_filter

ruleID


: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
... ...



: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Product)
:field_value ("Firewall")
)
:filter (Or
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.1)
)
)
:filter (And
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.2)
)
: (And
: (Equal
:field_name (service)



:field_value (80)
)
: (Equal
:field_name (Proto)
:field_value (6)
)
)
)
... ...



: (This_is_My_Rule_1
:ruleID ("{D81EC45E-09F4-46BB-A4F4-B4C211EF2405}")
:active (on)
:type ("single log event")
:category ()
:detection (
:source_data ()
:groupby ()
:analyze (
:type (resolution)
:resolution (0)
)
:parameters ()
:action ()
:filter (Equal
:field_name (Product)
:field_value ("Firewall")
)
:filter (Or
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.1)
)
)
:filter (And
: (Equal
:field_name (Src)
:field_value (192.168.0.1)
)
: (Equal
:field_name (Dst)
:field_value (192.168.0.2)
)
: (And
: (Equal
:field_name (service)
:field_value (80)
)
: (Equal
:field_name (Proto)
:field_value (6)
)
)
)
:event_format (
:class_name (syslog_event_builder)
:severity (1)
:facility (2)
:add_time_stamp (true)
:host_name ("Control host")
:field_seperator (";")
:TAG ("CPLogToSyslog")
:event_name ("Control log type")
:server_id (1)
)
:create_for_all_detector_instances (false)
)


field_name





CPLogToSyslog



[Expert@HostName:0]# mdsenv <Name or IP address of Domain Management Server>



[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data{,_ORIGINAL}



[Expert@HostName:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 "CPLogToSysLog" 4 1 1



[Expert@HostName:0]# grep CPLogToSysLog $CPDIR/registry/HKLM_registry.data



[Expert@HostName:0]# $CPDIR/bin/cpprod_util CPPROD_SetValue FW1 "CPLogToSysLog" 4 0 1



[Expert@HostName:0]# grep CPLogToSysLog $CPDIR/registry/HKLM_registry.data



[Expert@HostName:0]# mdsenv <Name or IP address of Domain Management Server>



[Expert@HostName:0]# $FWDIR/bin/CPLogToSyslog &



[Expert@HostName:0]# ps auxw | egrep "PID|CPLogToSyslog"



cpwd_admin list CPLOGTOSYSLOG



https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...



Seceon Inc. All rights reserved. https://www.seceon.com