Checkpoint logs in Graylog


#1

Hi all,
I’m a new Graylog user and I’m trying to collect logs from several firewalls on my network. The firewalls are Checkpoint R77 and the Graylog server is correctly receiving the traffic, however, the parser is not correctly interpreting the syslog messages. For example, the source field is filled by the process that generated the log entry.
I already have other devices, such as Juniper and Arista, correctly sending the logs to graylog and parsed correctly.
I’ve googled around and can’t seem to find any example of a Checkpoint device sending logs to a Graylog server, or a checkpoint parser for graylog (I’m willing to write my own, btw).

Can anyone confirm if this is a known issue? Can anyone help me troubleshoot the issue?

Thank you


#2

hi,

are you using fw1-loggrabber? In my mind, checkpoint products do not send logs, but thery need to be retrieved using the LEA interface. You can setup SmartEvent and then use fw1-loggrabber to fetch the logs from there.


#3

Hi jtkarvo,

I’m not using fw1-loggrabber… I’m just forwarding the system logs such as /var/log/messages. The traffic logs are being forwarded to the CLM.
From what I understand, this is just a matter of configuring the relevant syslog on the web or cli interfaces. I can see the traffic reaching the firewall and I can also see the unparsed logs on graylog.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.