Check Point Log Exporter Configuration (R81.10 and below)

SecureChange Requester This topic is intended for TOS Administrators.

Overview

This procedure describes how to set up a log exporter to send syslogs to TOS. It covers both UDP and TCP.

The TCP option requires encryption. If you are going to use encryped TCP, start with Configuring Check Point Syslogs Over Encrypted TCP.

The procedure must be performed on your CMA/SMC device and if you have a separate CLM log server it must be performed on that as well to include traffic logs. Make sure you define the same log ID on both.

If you are using a Check Point device that is R81.20 or above, see Check Point log_exporter Configuration (R81.20 and above).

Create the Log Exporter

  1. Create a new Check Point log exporter with TOS as the Target Server.

    Use the cp_log_export add command, as described in the Check Point Support Center: SecureKnowledge Details > Log Exporter - Check Point Log Export (Solution ID sk122323). Enter a protocol of either udp or tcp.

    cp_log_export add name <exporter-name> domain-server <domain-name> target-server <tos-ip> target-port <tos-port> protocol udp/tcp format {syslog}

    where:

    • <exporter-name> is any name you choose for the new log exporter in Check Point.
    • <domain-name> is the name/IP of the domain server. For additional options, see : Check Point Log Export documentation.
    • <tos-ip> is the syslog VIP/load balancer address.
    • <tos-port> - see Device-Related Ports.

    To verify the log was successfully created, run:

    2. cp_log_export show
    cp_log_export show

    The new log exporter should appear.

  2. For encrypted TCP: Specify your certificate details, obtained previously in Configuring Check Point Syslogs Over Encrypted TCP. 

    cp_log_export set name <exporter-name> domain-server <domain-server> ca-cert <path_to_CA_pem> client-cert <path_to_p12_certificate> client-secret <challenge_phrase_for _p12>

    where:

    • <exporter-name> is the name you entered in Step 1.

    • <domain-name> is the domain you entered in Step 1.

  3. In /targets/<exporter-name>/conf/SyslogFormatDefinition.xml:

    Replace: 

    <!-- HOSTNAME-->	
  <header>
    <default_value>-</default_value>
    <assign_order>init</assign_order>
      <callback>
        <name>get_host_name_callback</name>
      </callback>
  </header>

    With: 

    <!-- HOSTNAME-->
  <header>
    <default_value><Log-ID-Name></default_value>
  </header>

    where <Log-ID-Name> is a string of your choice. A good practice is to name the log ID with the same name as its corresponding domain.

    Example: Your domain name is "cma1" and your Log ID is "cma1" as well.

    The log name defined here will be used when adding Check Point devices to SecureTrack.

  4. Restart the log exporter instance:

    cp_log_export restart name <exporter-name>
    cp_log_export restart name <exporter-name>