# Syslog - Receiving Checkpoint logs



## roundkat (Feb 24, 2022)

Checkpoint logs were working on 11.4-RELEASE-p13 using the HandBook example.

There are 2 format for checkpoint logs that would work
- syslog
- splunk (trimmed down version of syslog)

11.4-RELEASE-p13 - Checkpoint syslog format
rc.conf

```
syslogd_enable="YES"
syslogd_flags="-a 192.168.1.28:*"
```
syslog.conf

```
+192.168.1.28
*.* /share/flogs/user.log
```
newsyslog.conf

```
/share/flogs/user.log        640        30    10000        *    JC
```

Upgrading to 12.3-RELEASE-p2 this stopped working with Checkpoint syslog format
tcpdump -nni bge0

```
19:07:59.087916 IP 192.168.1.28.36459 > 192.168.1.14.514: SYSLOG local0.info, length: 1076
```
Putting syslogd in debug mode - shows that logging was not working correctly (no Checkpoint logs)

```
# of validation rule: 1
validate: dgram from IP 192.168.1.28, port 33323, name checklog.example.com;
accepted in rule 1.
Failed to parse STRUCTURED-NAME from checklog: 2022-02-23T18:31:18Z checklog
received sa_len = 16
cvthname(2) len = 16
cvthname(192.168.1.28)
```

Changing CheckPoint format
syslog
to
splunk

Checkpoint logs are now going to
/share/flogs/user.log :
root@ #cat syslog.d/fw.conf

```
# $FreeBSD: releng/12.3/usr.sbin/syslogd/ppp.conf 338146 2018-08-21 17:01:47Z brd $
syslog
*.*                        /share/flogs/user.log
&stop
```
syslog.conf  - blocking Checkpoint logs from going to /var/log/messages

```
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;*syslog.none    /var/log/messages
```
 tcpdump sample

```
13:47:35.477988 IP 192.168.1.28.44538 > 192.168.1.14.514: [|syslog]
```
note the "|"
Escaping the | with \ and putting "|" does not work in syslog.conf

My issue issue is that what used to go to /var/log/messages now goes to
goes to
/share/flogs/user.log

Thanks
RK


----------

