HowTo send CheckPoint firewall logs to syslog

Checkpoint's Firewall-1 does not offer sending its firewall logs to a syslog server - which is especially hurting when a central system already is installed especially to correlate network events. There is a trick though, where you can re-route the logs to a different location: the user-defined alert. We (mis)use the user-defined alert to send a log entry to a local shell script instead of to the log file.

Security and Performance Implications

Firing up a script each and every time a TCP session is established or ended as well as for every packet being dropped can give quite an impact on the firewall performance, depending on hardware and line usage.

Second syslog is not "secured" as the CheckPoint log facility is. It transfers the messages unencrypted and stores them plain text - which might be of consideration.

Remote syslog usually is using UDP - which means log entries can (and probably will) be lost during transfer. Switching to a TCP-based syslog can help with this part.

Implementation & Setup

I assume the firewall is run under a Unix-style operating system. We need a syslog-feeder for this script - and as I usually work under Linux, I am using the "logger" binary that usually is included in a distribution.

If you want to send your logs to a remote syslog server, configure it in /etc/syslog.conf

To set up, copy the script below to a suitable location and adapt it to your needs. Don't forget to mark it executable (chmod 755). Then configure it as the "user-defined alert" in CheckPoint firewall (menu properties/alerts IIRC).

First try wether it is working with a dedicated test rule where you set logging to "user-defined". If it's working fine, you can slowly switch all the rules you want to get logged to. Have an eye on ressource usage when (and after) switching, though...

# fw1syslog  (c) 2004 - this script is public domain
# an identifier for the log
# the syslog facility	
# choose one of: auth, authpriv, daemon, security (deprecated synonym for 
#	auth), local0, local1, local2, local3, local4, local5, local6, local7
# severity level: alert, crit, debug, emerg, err, info, notice

# no config below here
fwdate 		= "$1"	## date of the log entry
fwtime 		= "$2"	## time of the log entry
fwaction 	= "$3"	## block / accept / reject
fwLog 		= "$4"	## log type
fwInterface 	= "$5"	## interface on which the packet arrived
fwtype 		= "$6"	##
fwproto1 	= "$7"	## 
fwprotocol 	= "$8"	## protocol used
fwsrc 		= "$9"	## 
fwsource 	= "$10"	## source IP
fwdst 		= "$11"	## 
fwdestination 	= "$12"	## destination IP
fwsrv 		= "$13"	##

logger -p ${FACILITY}.${LEVEL} "${IDTAG}: ${fwaction} from ${fwsource} to ${fwdestination} proto ${fwprotocol}"

Other FW1 logging tricks and ressources