Friday, September 25, 2009

CheckPoint: exporting log to a syslog server

How to register a syslog server

it is to export, as a fifo, all the logs to a syslog server.

the solution consist of running a piece of checkpoint software to send log to the local syslog,

then syslog forward the data to the remote syslog

Here the programs we will use:

fw log
logger

Explanation

fw log

 "fw log" is the tool to show the logs, in the gateway and in the smartcenter.

"fw log" accept somes options, we must use thoses:

-ft : begin with the last line, and continuously show the lines, as they comes.

-n : don't resolv hostname

-l : add a time stamp

logger

logger is a unix tool, to send to syslog a message, a log.

Solution

so, we need to change a boot script, to be sure we always have the functionality.
Changing the file /etc/rc.d/init.d/cpboot as:

case $1 in 
    'start')
        $CPDIR/bin/cpstart -b
        cp /etc/syslog.conf /var/run/syslog.conf
        kill -HUP $(ps fax|grep syslogd|grep -v grep|awk '{print $1}')
        # For the normal logs

        fw log -ftnl|logger -p local4.info -t Firewall &
        #   For the audit logs
        if [ -f  $FWDIR/log/fw.adtlog ];then

            fw log -ftnl $FWDIR/log/fw.adtlog|logger -p local5.info -t Firewall &
        fi
    ;;
    'stop' )
        $CPDIR/bin/cpstop
        ;;
esac