How to configure Firewall CheckPoint to send logs to CQ Server IP Address on port 5140 UDP
Configuring System Logging - Gaia Portal
This section includes procedures for configuring System Logging and Remote System Logging
System Logging configures if Gaia sends these logs:
- Gaia syslog messages to its Check Point Management Server
- Gaia audit logs upon successful configuration to its Check Point Management Server
- Gaia audit logs upon successful configuration to Gaia syslog facility
Remote System Logging configures a remote syslog server, to which Gaia sends its syslog messages (there are some command options and parameters, which you cannot configure in the Gaia Portal)
To configure System Logging, please follow the steps bellow:
1) In the navigation tree, click System Management > System Logging.
2) In the System Logging section, select the applicable options:
-
Send Syslog messages to management server
-
Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server. Default: Not selected (this option is configured in the Gaia Clish with the set syslog cplogs {on | off} command)
-
Send audit logs to management server upon successful configuration
-
Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server. Default: Selected (this option is configured in the Gaia Clish with the set syslog mgmtauditlogs {on | off} command)
-
Send audit logs to syslog upon successful configuration
-
Specifies if the Gaia saves the logs for configuration changes that authorized users make. Default: Selected
-
To specify a desired Gaia configuration audit log file, run the set syslog filename </Path/File> command, otherwise Gaia uses the default /var/log/messages file (this option is configured in the Gaia Clish with the set syslog auditlog {disable|permanent} command)
3) Click Apply
To configure Remote System Logging, please follow the steps bellow:
1) In the navigation tree, click System Management > System Logging
2) In the Remote System Logging section, click Add
3) In the IP Address field, enter IPv4 address of the remote syslog server
4) In the Priority field, select severity level of logs that are sent to remote server. These are the accepted values:
- All - All messages
- Debug - Debug-level messages
- Info - Informational messages
- Notice - Normal but significant condition
- Warning - Warning conditions
- Error - Error conditions
- Critical - Critical conditions
- Alert - Action must be taken immediately
- Emergency - System is unusable
5) Click OK
To edit Remote System Logging settings, please follow the steps bellow:
1) In the navigation tree, click System Management > System Logging
2) In the Remote System Logging section, select the remote server
3) Click Edit
4) In the IP Address field, enter IPv4 address of the remote syslog server
5) In the Priority field, select severity level of logs that are sent to remote server
6) Click OK
To delete Remote System Logging settings, please follow the steps bellow:
1) In the navigation tree, click System Management > System Logging
2) In the Remote System Logging section, select the remote syslog server
3) Click Delete
4) Click Yes
Syntax for System Logging configuration
To send the Gaia system logs to a Check Point Management Server:
set syslog cplogs {on | off}
To send the Gaia configuration audit logs to a Check Point Management Server:
set syslog mgmtauditlogs {on | off}
To save the Gaia configuration audit logs:
set syslog auditlog {disable | permanent}
To configure the file name of the Gaia configuration audit log:
set syslog filename </Path/File>
To show the Gaia system logging configuration:
show syslog
all
auditlog
cplogs
filename
mgmtauditlogs
Note: After you add, configure, or delete features, run the save config command to save the settings permanently
Syntax for Remote System Logging configuration
To send Gaia system logs to a remote syslog server:
add syslog log-remote-address <IPv4 Address> level <Severity>
To show the Gaia system logging configuration:
show syslog
all
log-remote-address <IPv4 Address>
log-remote-addresses
To stop sending Gaia system logs to the specific remote server:
delete syslog log-remote-address <IPv4 Address> [level <Severity>]
Note: After you add, configure, or delete features, run the save config command to save the settings permanently
Parameters and descriptions
Parameters | Description |
---|---|
cplogs {on \ off} | Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server: on – Send Gaia system syslogs off – Do not send Gaia syslogs Default: off Note – This command corresponds to the Send Syslog messages to management server option in the Gaia Portal > System Management > System Logging. |
Mgmtauditlogs {on \ off} | Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server: on – Send Gaia audit logs off – Do not send Gaia audit logs Default: on Note – This command corresponds to the Send audit logs to management server upon successful configuration option in the Gaia Portal > System Management > System Logging. |
Auditlog {disable \ permanent} | Specifies if the Gaia saves the logs for configuration changes that authorized users make: disable – Disables the Gaia audit log facility permanent – Enables the Gaia audit log facility to save information about all successful changes in the Gaia configuration. To specify a desired destination file, run the set syslog filename </Path/File> command (otherwise, Gaia uses the default /var/log/messages file). Default: permanent Note – This command corresponds to the Send audit logs to syslog upon successful configuration option in the Gaia Portal > System Management > System Logging. |
</Path/File> | Configures the full path and file name of the system log. Default: /var/log/messages Note – Gaia Portal does not let you configure this setting. |
Log-remote-address | Configures Gaia to send system logs to a remote syslog server. Important – Do not configure two Gaia computers to send system logs to each other – directly, or indirectly. Such configuration creates a syslog forwarding loop, which causes all syslog messages to repeat indefinitely on both Gaia computers. Note – This command corresponds to the Gaia Portal > System Management > Remote System Logging. |
<Ipv4 Address> | Ipv4 address of the remote syslog server, to which Gaia sends its system logs. Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255]) Default: No default value |
<Severity> | Syslog severity level for the system logging. These are the accepted values (as defined by the RFC 5424 – Section-6.2.1): emerg – System is unusable alert – Action must be taken immediately crit – Critical conditions err – Error conditions warning - Warning conditions notice - Normal but significant condition info - Informational messages debug - Debug-level messages all - All messages Notes: Until you configure at least one severity level for a given remote server, Gaia does not send syslog messages. If you specify multiple severities, the most general least severe severity always takes precedence. |
Examples of CheckPoint Gaia:
gaia> set syslog auditlog permanent
gaia> set syslog filename /var/log/system_logs.txt
gaia> set syslog mgmtauditlogs on
gaia> set syslog cplogs on
gaia> set syslog log-remote-address 192.168.2.1 level all
gaia> show syslog all
Syslog Parameters:
Remote Address 192.168.2.1
Levels all
Auditlog permanent
Destination Log Filename /var/log/system_logs.txt
gaia>
gaia>show syslog auditlog
permanent
gaia>
gaia> show syslog cplogs
Sending syslog syslogs to Check Point's logs is enabled
gaia>
gaia> show syslog mgmtauditlogs
Sending audit logs to Management Server is enabled
gaia>
gaia> show syslog filename
/var/log/system_logs.txt
gaia>
Configuring Log Volume - Expert Mode
On condition that there is enough available disk space, you can enlarge the log partition.
Use the lvm_manager tool from Expert mode:
1) Connect to the Gaia system over console
2) Reboot the Gaia system
3) During boot, press any key to enter the Boot menu (you have approximately 5 seconds)
4) Select Start in maintenance mode
5) Enter the Expert mode password
6) Use the interactive lvm_manager tool as described in the sk95566: [Expert@HostName:0]# lvm_manager
Note: Disk space is added to the log volume by subtracting it from the disk space used to store backup images
Redirecting RouteD System Logging Messages
By default, Gaia writes the RouteD syslog messages (for example, OSPF or BGP errors) to the /var/log/messages file. You can configure Gaia to write the RouteD syslog messages to the /var/log/routed_messages file instead.
To configure the redirection in the Gaia Portal, please follow the steps bellow:
1) In the navigation tree, click Advanced Routing > Routing Options
2) In the Routing Process Message Logging Options section, select Log Routed Separately
3) In the Maximum File Size field, enter the size (in megabytes) for each log file (default is 1 MB)
4) In the Maximum Number of Files field, enter the maximal number of log files to keep as default is 10 log files (/var/log/routed_messages, /var/log/routed_messages.0, /var/log/routed_messages.1, ..., /var/log/routed_messages.9)
5) Click Apply
To configure the redirection in the Gaia Clish, please follow the steps bellow:
1) Connect to the command line on Gaia
2) Log in to Gaia Clish
3) Run these commands:
HostName> set routedsyslog on
HostName> set routedsyslog size <Number of MB between 1 and 2047>
HostName> set routedsyslog maxnum \\Number of Files between 1 and 4294967295
HostName> save config