The tags beginning with firewall.checkpoint identify log events generated by the following Check Point technologies:
- Check Point Firewall
- Check Point Gaia
- Check Point OPSEC LEA
The full tag must have at least four levels. The first two are fixed as firewall.checkpoint. The third level identifies the technology type and must be one of fw, gaia, or lea. The fourth element is required but you are free to define it as you like. We suggest using it to identify the machine that it the source of the events.
||free but required|
For example, firewall.checkpoint.fw.chicago
All firewall log events will be saved in the firewall.checkpoint.fw data table. The fourth level of the tag will appear in the data table in a column labeled machine.
Check Point configuration
Configure the Check Point Log Exporter (or other log sending facility) to send events to the Devo Relay through a dedicated port of your choosing.
Devo Relay rule
Create a new relay rule that tags all the events arriving to the relay through the dedicated port you set in Check Point as firewall.checkpoint.fw.machine. Again, you are free to assign the fourth level of this tag (machine) as suits the needs of your network. In the example below, we use the fourth level to identify the firewall location.
Sending logs from SmartCenter console on Windows
In this case, you will use the Devo Agent for Windows to collect, tag, and send log events to the Devo endpoint. To forward the Firewall logs, use the following CLI command on SmartCenter:
$FWDIR/bin/fw log -ftnl fw.log
The MagicLog component of the Devo Agent for Windows will collect and and label events using the firewall.checkpoint.fw.<group> tag.
The Windows Agent ProxServerContainer should send all events to port 13000 on the Devo Relay. This is a port dedicated to simply recieving events and forwarding them securely tothe Devo Cloud.
See the Devo Agent for Windows article for more details.
Sending logs from SmartCenter console on Linux
Edit /etc/syslog.conf and add:
local4.info <TAB> @IP_of_Devo_relay
Edit /etc/rc.d/init.d/cpboot and add:
fw log -ftnl | logger -p local4.info -t firewall.checkpoint.fw &
- Reboot the management server. A reboot is required because the cpoff/cpon restart commands are not sufficient to activate log forwarding.