Syslog - Receiving Checkpoint logs

R

roundkat

Checkpoint logs were working on 11.4-RELEASE-p13 using the HandBook example.

There are 2 format for checkpoint logs that would work
- syslog
- splunk (trimmed down version of syslog)

11.4-RELEASE-p13 - Checkpoint syslog format
rc.conf
Code: 
syslogd_enable="YES"
syslogd_flags="-a 192.168.1.28:*"
syslog.conf
Code: 
+192.168.1.28
*.* /share/flogs/user.log
newsyslog.conf
Code: 
/share/flogs/user.log        640        30    10000        *    JC

Upgrading to 12.3-RELEASE-p2 this stopped working with Checkpoint syslog format
tcpdump -nni bge0
Code: 
19:07:59.087916 IP 192.168.1.28.36459 > 192.168.1.14.514: SYSLOG local0.info, length: 1076
Putting syslogd in debug mode - shows that logging was not working correctly (no Checkpoint logs)
Code: 
# of validation rule: 1
validate: dgram from IP 192.168.1.28, port 33323, name checklog.example.com;
accepted in rule 1.
Failed to parse STRUCTURED-NAME from checklog: 2022-02-23T18:31:18Z checklog
received sa_len = 16
cvthname(2) len = 16
cvthname(192.168.1.28)

Changing CheckPoint format
syslog
to
splunk

Checkpoint logs are now going to
/share/flogs/user.log :
root@ #cat syslog.d/fw.conf
Code: 
# $FreeBSD: releng/12.3/usr.sbin/syslogd/ppp.conf 338146 2018-08-21 17:01:47Z brd $
syslog
*.*                        /share/flogs/user.log
&stop
syslog.conf - blocking Checkpoint logs from going to /var/log/messages
Code: 
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;*syslog.none    /var/log/messages
tcpdump sample
Code: 
13:47:35.477988 IP 192.168.1.28.44538 > 192.168.1.14.514: [|syslog]
note the "|"
Escaping the | with \ and putting "|" does not work in syslog.conf

My issue issue is that what used to go to /var/log/messages now goes to
goes to
/share/flogs/user.log

Thanks
RK
 
You must log in or register to reply here.
Back
Top