Skip to content

How to configure Firewall CheckPoint to send logs to CQ Server IP Address on port 5140 UDP

Configuring System Logging - Gaia Portal

This section includes procedures for configuring System Logging and Remote System Logging

System Logging configures if Gaia sends these logs:

  • Gaia syslog messages to its Check Point Management Server
  • Gaia audit logs upon successful configuration to its Check Point Management Server
  • Gaia audit logs upon successful configuration to Gaia syslog facility

Remote System Logging configures a remote syslog server, to which Gaia sends its syslog messages (there are some command options and parameters, which you cannot configure in the Gaia Portal)

To configure System Logging, please follow the steps bellow:

1) In the navigation tree, click System Management > System Logging.

2) In the System Logging section, select the applicable options:

  • Send Syslog messages to management server

  • Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server. Default: Not selected (this option is configured in the Gaia Clish with the set syslog cplogs {on | off} command)

  • Send audit logs to management server upon successful configuration

  • Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server. Default: Selected (this option is configured in the Gaia Clish with the set syslog mgmtauditlogs {on | off} command)

  • Send audit logs to syslog upon successful configuration

  • Specifies if the Gaia saves the logs for configuration changes that authorized users make. Default: Selected

  • To specify a desired Gaia configuration audit log file, run the set syslog filename </Path/File> command, otherwise Gaia uses the default /var/log/messages file (this option is configured in the Gaia Clish with the set syslog auditlog {disable|permanent} command)

3) Click Apply

To configure Remote System Logging, please follow the steps bellow:

1) In the navigation tree, click System Management > System Logging

2) In the Remote System Logging section, click Add

3) In the IP Address field, enter IPv4 address of the remote syslog server

4) In the Priority field, select severity level of logs that are sent to remote server. These are the accepted values:

  • All - All messages
  • Debug - Debug-level messages
  • Info - Informational messages
  • Notice - Normal but significant condition
  • Warning - Warning conditions
  • Error - Error conditions
  • Critical - Critical conditions
  • Alert - Action must be taken immediately
  • Emergency - System is unusable

5) Click OK

To edit Remote System Logging settings, please follow the steps bellow:

1) In the navigation tree, click System Management > System Logging

2) In the Remote System Logging section, select the remote server

3) Click Edit

4) In the IP Address field, enter IPv4 address of the remote syslog server

5) In the Priority field, select severity level of logs that are sent to remote server

6) Click OK

To delete Remote System Logging settings, please follow the steps bellow:

1) In the navigation tree, click System Management > System Logging

2) In the Remote System Logging section, select the remote syslog server

3) Click Delete

4) Click Yes

Syntax for System Logging configuration

To send the Gaia system logs to a Check Point Management Server:

set syslog cplogs {on | off}

To send the Gaia configuration audit logs to a Check Point Management Server:

set syslog mgmtauditlogs {on | off}

To save the Gaia configuration audit logs:

set syslog auditlog {disable | permanent}

To configure the file name of the Gaia configuration audit log:

set syslog filename </Path/File>

To show the Gaia system logging configuration:

show syslog

all

auditlog

cplogs

filename

mgmtauditlogs

Note: After you add, configure, or delete features, run the save config command to save the settings permanently

Syntax for Remote System Logging configuration

To send Gaia system logs to a remote syslog server:

add syslog log-remote-address <IPv4 Address> level <Severity>

To show the Gaia system logging configuration:

show syslog

all

log-remote-address <IPv4 Address>

log-remote-addresses

To stop sending Gaia system logs to the specific remote server:

delete syslog log-remote-address <IPv4 Address> [level <Severity>]

Note: After you add, configure, or delete features, run the save config command to save the settings permanently

Parameters and descriptions

Parameters Description
cplogs {on \ off} Specifies if the Gaia sends the Gaia system logs to a Check Point Management Server:
on – Send Gaia system syslogs
off – Do not send Gaia syslogs
Default: off
Note – This command corresponds to the Send Syslog messages to management server  option in the Gaia Portal > System Management > System Logging.
Mgmtauditlogs {on \ off} Specifies if the Gaia sends the Gaia audit logs (for configuration changes that authorized users make) to a Check Point Management Server:
on – Send Gaia audit logs
off – Do not send Gaia audit logs
Default: on
Note  This command corresponds to the Send audit logs to management server upon successful configuration option in the Gaia Portal > System Management > System Logging.
Auditlog {disable \ permanent} Specifies if the Gaia saves the logs for configuration changes that authorized users make:
disable – Disables the Gaia audit log facility
permanent – Enables the Gaia audit log facility to save information about all successful changes in the Gaia configuration. To specify a desired destination file, run the set syslog filename </Path/File> command (otherwise, Gaia uses the default /var/log/messages file).
Default: permanent
Note  This command corresponds to the Send audit logs to syslog upon successful configuration option in the Gaia Portal > System Management > System Logging.
</Path/File> Configures the full path and file name of the system log.
Default: /var/log/messages
Note  Gaia Portal does not let you configure this setting.
Log-remote-address Configures Gaia to send system logs to a remote syslog server.
Important  Do not configure two Gaia computers to send system logs to each other – directly, or indirectly. Such configuration creates a syslog forwarding loop, which causes all syslog messages to repeat indefinitely on both Gaia computers.
Note  This command corresponds to the Gaia Portal > System Management > Remote System Logging.
<Ipv4 Address> Ipv4 address of the remote syslog server, to which Gaia sends its system logs.
Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255])
Default: No default value
<Severity> Syslog severity level for the system logging. These are the accepted values (as defined by the RFC 5424 – Section-6.2.1):
emerg – System is unusable
alert – Action must be taken immediately
crit – Critical conditions
err – Error conditions
warning - Warning conditions
notice - Normal but significant condition
info - Informational messages
debug - Debug-level messages
all - All messages
Notes:
Until you configure at least one severity level for a given remote server, Gaia does not send syslog messages.
If you specify multiple severities, the most general least severe severity always takes precedence.

Examples of CheckPoint Gaia:

gaia> set syslog auditlog permanent

gaia> set syslog filename /var/log/system_logs.txt

gaia> set syslog mgmtauditlogs on

gaia> set syslog cplogs on

gaia> set syslog log-remote-address 192.168.2.1 level all

gaia> show syslog all

Syslog Parameters:

Remote Address 192.168.2.1

Levels all

Auditlog permanent

Destination Log Filename /var/log/system_logs.txt

gaia>

gaia>show syslog auditlog

permanent

gaia>

gaia> show syslog cplogs

Sending syslog syslogs to Check Point's logs is enabled

gaia>

gaia> show syslog mgmtauditlogs

Sending audit logs to Management Server is enabled

gaia>

gaia> show syslog filename

/var/log/system_logs.txt

gaia>

Configuring Log Volume - Expert Mode

On condition that there is enough available disk space, you can enlarge the log partition.

Use the lvm_manager tool from Expert mode:

1) Connect to the Gaia system over console

2) Reboot the Gaia system

3) During boot, press any key to enter the Boot menu (you have approximately 5 seconds)

4) Select Start in maintenance mode

5) Enter the Expert mode password

6) Use the interactive lvm_manager tool as described in the sk95566: [Expert@HostName:0]# lvm_manager

Note: Disk space is added to the log volume by subtracting it from the disk space used to store backup images

Redirecting RouteD System Logging Messages

By default, Gaia writes the RouteD syslog messages (for example, OSPF or BGP errors) to the /var/log/messages file. You can configure Gaia to write the RouteD syslog messages to the /var/log/routed_messages file instead.

To configure the redirection in the Gaia Portal, please follow the steps bellow:

1) In the navigation tree, click Advanced Routing > Routing Options

2) In the Routing Process Message Logging Options section, select Log Routed Separately

3) In the Maximum File Size field, enter the size (in megabytes) for each log file (default is 1 MB)

4) In the Maximum Number of Files field, enter the maximal number of log files to keep as default is 10 log files (/var/log/routed_messages, /var/log/routed_messages.0, /var/log/routed_messages.1, ..., /var/log/routed_messages.9)

5) Click Apply

To configure the redirection in the Gaia Clish, please follow the steps bellow:

1) Connect to the command line on Gaia

2) Log in to Gaia Clish

3) Run these commands:

HostName> set routedsyslog on 
HostName> set routedsyslog size <Number of MB between 1 and 2047> 
HostName> set routedsyslog maxnum \\Number of Files between 1 and 4294967295
HostName> save config