Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

CheckPoint

Logging via syslog

For CheckPoint device, you need first make sure, that your version has installed CheckPoint Log Export. Some of the latest versions of CheckPoint Security Gateways has already Log Export integrated in the software (80.40 and above), some versions need to install latest Jumbo Hotfix Accumulator (80.10 to 80.30) and some need to install a dedicated patch (version 77.10 to 77.30).

More details about Checkpoint Log Exporter are available on this link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

Once you sure, that CheckPoint Log Export is available on your system, there is just a few steps to have it running with Logmanager.

  1. Create a new CheckPoint Log Export target with command cp_log_export add name Logmanager target-server 192.0.2.10 target-port 514 protocol tcp format generic where replace target-server IP with your Logmanager IP address.

  2. Enable the target with command cp_log_export set name Logmanager enabled true

  3. Restart the CheckPoint Log Export service with command cp_log_export restart name Logmanager

    Here is the screenshot from CheckPoint expert console of configuration steps 1-3 in CheckPoint Secure Gateway version 80.40:

    CheckPoint expert console of configuration steps

    CheckPoint expert console of configuration steps

  4. To review CheckPoint log exporter configuration run command cp_log_export show

    Review CheckPoint log exporter configuration

    Review CheckPoint log exporter configuration

    on

  5. On the Logmanager, add the proper classification to point the incoming logs from CheckPoint source IP to Logmanager CheckPoint parser. Save edited classifier or classifier template.

    Adding the proper classification

    Adding the proper classification

  6. Wait a minute and have a look into the Logmanager dashboards for CheckPoint, if they are filling with correct data.

CheckPoint logging via TLS syslog

For CheckPoint device, you first need to install the Log Exporter extension in your Gaia installation to ensure syslog messaging.

After you install the extension, follow these steps:

  1. For encrypted communication, it is first necessary to provide a public CA certificate in the format .pem and create client certificate in format .p12 (contains certificate + a private key).

  2. It is necessary to upload these certificates into your Gaia installation (eg using WinSCP) and create a folder for these certificates.

  3. In expert mode, enter the following command:

    cp_log_export add name logmanagertls target-server <Logmanager_IP> target-port 6514 protocol tcp format generic
    
  4. Next, enter the following command where you need to set the certificate paths (/opt/ssl-cert/) and set a password you chose for .p12 certificate:

    cp_log_export set name logmanagertls enabled true encrypted true ca-cert <path_to_CA_pem (/opt/ssl-cert/)> client-cert <path_to_p12_certificate (/opt/ssl-cert/)> client-secret <challenge_phrase_for_p12>
    
  5. Restart log exporter:

    cp_log_export restart name logmanagertls
    
  6. To verify the correct configuration, use the command:

    cp_log_export show
    
  7. Now the logs are sent via TLS to the Logmanager side.