Tuesday, June 17, 2014

Forward Logs from Checkpoint SmartCenter Management Server and Juniper NSM / IDP to Syslog Server


Two KBs regarding how to collect log from Checkpoint and Juniper:

1. Configuring SmartCenter to send logs to syslog server

Solution ID: sk33423

Proceed as follows:

a. On the SmartCenter server edit the /etc/syslog.conf file and add the following line:

local4.info <TAB> @IP_OF_REMOTE_BOX

b. Add the following line to the end bottom of /etc/rc.d/init.d/cpboot file, to be executed on boot up:

fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall &

Notes:

The '&' in the command syntax ensures that this command runs in the background. If the '&' is not included in the command, the OS stops at loading the syslogd service and you never get a login prompt at the console.
For more information about the fw log command, refer to the R75 Command Line Interface (CLI) Reference Guide.

c. Reboot.
Note: cpstop/cpstart is insufficient to make this work.

2.NSM can forward NSM logs as well as device traffic logs via syslog, SNMP, e-mail or even a custom script.


You need to define this in "Action Manager" from the NSM GUI client.

Check this KB article:
http://kb.juniper.net/KB11810

NSM Administration Guide the chapter "Forwarding Logs":
http://www.juniper.net/techpubs/software/management/security-manager/





  1. Login to NSM GUI

  2. Go to "Action Manager" and click  "Action Parameters"

  3. Fill in the Syslog server IP address and the Syslog facility that NSM will categorize the logs as.

  4. Click "OK"

This informs NSM that an external Syslog server is available for use.  Two mode are available to forward logs to Syslog.

Device Log Action Criteria Mode:   Located under the "action manager", this mode allows defining a global logging criteria for all devices in a domain.
The criteria can be based on category, sub-category and severity and will apply to all logs received.

Policy Manager Mode:  Allows finer control on which traffic log will be forwarded to Syslog by adding the "Log action" to the desired rule options.   This allows forwarding of traffic logs to Syslog only for the desired rules.    Enable "Syslog" under "Log/Count" rule options for each rule.


3. IDP Appliance 

To configure Juniper IDP Appliance to send syslogs to STRM (IP Adress of STRM is assumed to be 172.19.47.201)

Login to the NSM system that is managing the IDP
  1. Edit the IDP device and go to Report Settings
  2. Configure the Syslog server as shown below and update the device 

    IDP Syslog

No comments:

Post a Comment