Wednesday, October 17, 2012

Forward Checkpoint SmartCenter and Juniper NSM syslog to external syslog server


Two KBs regarding how to collect log from Checkpoint and Juniper:

1. Configuring SmartCenter to send logs to syslog server

Solution ID: sk33423
Product: Security Management, Security Gateway, SecurePlatform
Version: NGX R65, R70, R71, R75
OS: SecurePlatform, Linux
Date Created: 15-Aug-2007
Last Modified: 16-Oct-2012


SOLUTION

Proceed as follows:


a. On the SmartCenter server edit the /etc/syslog.conf file and add the following line:

local4.info <TAB> @IP_OF_REMOTE_BOX

b. Add the following line to the end/bottom /etc/rc.d/init.d/cpboot file, to be executed on boot up:

fw log -ftnl 2> /dev/null | awk 'NF' | logger -p local4.info -t Firewall &

Notes:

The '&' in the command syntax ensures that this command runs in the background. If the '&' is not included in the command, the OS stops at loading the syslogd service and you never get a login prompt at the console.
For more information about the fw log command, refer to the R75 Command Line Interface (CLI) Reference Guide.

c. Reboot.
Note: cpstop/cpstart is insufficient to make this work.

2.

NSM can forward NSM logs as well as device traffic logs via syslog, SNMP, e-mail or even a custom script.

You need to define this in "Action Manager" from the NSM GUI client.

Check this KB article:
http://kb.juniper.net/KB11810

NSM Administration Guide the chapter "Forwarding Logs":
http://www.juniper.net/techpubs/software/management/security-manager/


How to forward logs from NSM to a Syslog server


SUMMARY:
How to forward device logs received in NSM directly to an external Syslog server
PROBLEM OR GOAL:
Cannot receive logs to a Syslog server from NSM
SOLUTION:
In order to allow NSM device logs to be automatically forwarded to an external Syslog server, use the following procedure:

  1. Login to NSM GUI

  2. Go to "Action Manager" and click  "Action Parameters"

  3. Fill in the Syslog server IP address and the Syslog facility that NSM will categorize the logs as.

  4. Click "OK"

This informs NSM that an external Syslog server is available for use.  Two mode are available to forward logs to Syslog.

Device Log Action Criteria Mode:   Located under the "action manager", this mode allows defining a global logging criteria for all devices in a domain.
The criteria can be based on category, sub-category and severity and will apply to all logs received.

Policy Manager Mode:  Allows finer control on which traffic log will be forwarded to Syslog by adding the "Log action" to the desired rule options.   This allows forwarding of traffic logs to Syslog only for the desired rules.    Enable "Syslog" under "Log/Count" rule options for each rule.
PURPOSE:
Configuration