The checkpoint FW (SMB) has the ability to send “system logs” or “security logs” or “both” to external syslog server.
I’ve configured it to send the logs (both system and security logs) to graylog server which running on AWS.
I only see the system logs on graylog and I would like to know why.
When I send the logs to another syslog server (also on AWS on the same VPC) such as 3Cdeamon I see both security and system logs.
I checked with CP and both logs are in the same syslog format.
Where is the file that store the logs on graylog on AWS (it’s not in /var/log/messages)? I’d like to see if the security logs arrived to graylog.
Any recommendation how to troubleshoot this issue will be great?
The logs are stored in indices, they can be found at /var/lib/elasticsearch/graylog/nodes/0/indices I have never actually looked inside an index (I presume you want to do this), however from here you can delete indices etc.
Firstly I would set the firewall to send only ‘security’ logs and then check if there are any logs coming in.
Other than this, if you would post your Graylog logs (found at /var/log/graylog/graylog.log) that would also help.
