CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: How to send Cisco ASA syslog smart tracker?

  1. #1
    Join Date
    2012-12-28
    Posts
    31
    Rep Power
    0

    Default How to send Cisco ASA syslog smart tracker?

    I have a question regarding sending syslog messages to Checkpoint Smart Tracker and letter (as soon as it is installed) to SmartLog.

    Is there anybody how can me provide a Link with dokumentions?

    Thanks in advance.

    BR
    ABC

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: How to send Cisco ASA syslog smart tracker?

    You have to enable accepting syslog messages on your management station object and Install Database.
    Then you can send syslogs to your Check Point management, which will then cause them to show in SmartView Tracker and SmartLog.
    SmartEvent and SmartReporter will also process these logs (if you use those products).

    Click image for larger version. 

Name:	syslog-mgmt.PNG 
Views:	807 
Size:	18.0 KB 
ID:	891
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2012-12-28
    Posts
    31
    Rep Power
    0

    Default Re: How to send Cisco ASA syslog smart tracker?

    Hello,

    thank you for the quick reply to my query.
    Could you please tell me if I have to create an object for the dedicated external origin?

    Furthermore, could you please tell me how can I see the syslog Messages?

    BR
    ABC
    Last edited by abc150781; 2015-01-07 at 06:20.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by abc150781 View Post
    Hello,

    thank you for the quick reply to my query.
    Could you please tell me if I have to create an object for the dedicated external origin?

    Furthermore, could you please tell me how can I see the syslog Messages?

    BR
    ABC
    Why would you even want to do this in first place? SPLUNK is a much easier solution.

  5. #5
    Join Date
    2014-09-02
    Posts
    349
    Rep Power
    10

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by abc150781 View Post
    Could you please tell me if I have to create an object for the dedicated external origin?

    Furthermore, could you please tell me how can I see the syslog Messages?
    Yes, if the syslog traffic has to traverse a firewall in order to reach the Log Server, you will need a rule (and object) to accommodate. As PhoneBoy stated, the logs will show in SmartView Tracker and SmartLog. They'll be easily identifiable via the "Origin" field, which will be the Cisco device.

    Quote Originally Posted by cciesec2006 View Post
    Why would you even want to do this in first place? SPLUNK is a much easier solution.
    While I love Splunk and agree that it can be a great solution, as far as we know the OP here is simply looking to get logs from a single ASA into his existing Check Point Log Server. This is very simple to accomplish, and would even allow for integration with SmartEvent and SmartReporter. No need for additional components or even other tools for reviewing data.

    If there were many more log sources, or there wasn't an existing CP deployment, then I'd agree with you. However, in this case I fail to see how Splunk would be "easier" than simply enabling syslog acceptance on a pre-existing Log Server.

    -E

  6. #6
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by EricAnderson View Post
    Yes, if the syslog traffic has to traverse a firewall in order to reach the Log Server, you will need a rule (and object) to accommodate. As PhoneBoy stated, the logs will show in SmartView Tracker and SmartLog. They'll be easily identifiable via the "Origin" field, which will be the Cisco device.



    While I love Splunk and agree that it can be a great solution, as far as we know the OP here is simply looking to get logs from a single ASA into his existing Check Point Log Server. This is very simple to accomplish, and would even allow for integration with SmartEvent and SmartReporter. No need for additional components or even other tools for reviewing data.

    If there were many more log sources, or there wasn't an existing CP deployment, then I'd agree with you. However, in this case I fail to see how Splunk would be "easier" than simply enabling syslog acceptance on a pre-existing Log Server.

    -E

    this is what I did:

    1- go into a CMA of a Provider-1 and check the box "Accept Syslog messages"
    2- install database
    3- on the tcpdump, I can see syslog from the ASA getting to the CMA ip address but no log showing up in the SmartView Tracker?

    Thoughts? By the way, Provider-1 is R75.46

  7. #7
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by cciesec2006 View Post
    this is what I did:

    1- go into a CMA of a Provider-1 and check the box "Accept Syslog messages"
    2- install database
    3- on the tcpdump, I can see syslog from the ASA getting to the CMA ip address but no log showing up in the SmartView Tracker?

    Thoughts? By the way, Provider-1 is R75.46
    Anyone know why it is not working?

  8. #8
    Join Date
    2014-11-05
    Posts
    1
    Rep Power
    0

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by cciesec2006 View Post
    Anyone know why it is not working?

    Perform a cpstop and cpstart and then it will start working.

  9. #9
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: How to send Cisco ASA syslog smart tracker?

    Hi all,

    as far as I know the syslog service is a single thread service.
    Does someone has experience how much logs/load the syslog service can handle?

    BR
    Sven

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,650
    Rep Power
    10

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by Chili View Post
    Hi all,

    as far as I know the syslog service is a single thread service.
    Does someone has experience how much logs/load the syslog service can handle?

    BR
    Sven
    I'm about to be in the same boat as you. There is a very detailed about about putting NSX firewall logs into a log server. Really for smartlog, but the way logs are ingested is the same for tracker. This isn't a direct answer for how much it can handle but there is some info on tuning in there.

    https://dreezman.wordpress.com/2016/...into-smartlog/

    I haven't tested it, but i also wonder if its possible to start and additional syslog->cp damon on a different IP to spread the load.
    Last edited by jflemingeds; 2016-07-28 at 14:58.

  11. #11
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: How to send Cisco ASA syslog smart tracker?

    Nice link - thank you!

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,650
    Rep Power
    10

    Default Re: How to send Cisco ASA syslog smart tracker?

    Quote Originally Posted by Chili View Post
    Nice link - thank you!
    btw i stumbled across a sk that said the normal syslogd and the cp-syslog (turns syslog packets into tracker/smartlog events) have issues with each other on R77.xx.

    see sk105580

  13. #13
    Join Date
    2008-01-25
    Location
    Karlsruhe / Germany
    Posts
    15
    Rep Power
    0

    Default Re: How to send Cisco ASA syslog smart tracker?

    Thanks for this advice. I am in the lucky situation that I already run a jumbo release including a fix for this issue.

Similar Threads

  1. How to send logs of messages files in /var/log to syslog server
    By shmilyh in forum Check Point SecurePlatform (SPLAT)
    Replies: 7
    Last Post: 2013-03-28, 11:29
  2. How to view Cisco Firewall logs in Smart View Tracker
    By wittyenggs in forum SmartView Tracker
    Replies: 1
    Last Post: 2013-03-19, 03:43
  3. Forwarded logs to syslog, now tracker is almost empty...
    By gamer0808 in forum SmartView Tracker
    Replies: 0
    Last Post: 2011-06-08, 11:42
  4. Smart View Tracker
    By sudhirnayakk in forum SmartView Monitor
    Replies: 2
    Last Post: 2009-01-28, 01:31
  5. Smart Tracker All Records
    By hannc in forum SmartView Tracker
    Replies: 3
    Last Post: 2008-04-03, 09:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •