Integrating syslog for Check Point Multi-Domain Management (Provider-1)

This method ensures that the Check Point Multi-Domain Management (Provider-1) DSM for IBM QRadar accepts Check Point Multi-Domain Management (Provider-1) events by using syslog.

About this task

QRadar records all relevant Check Point Multi-Domain Management (Provider-1) events.

Configure syslog on your Check Point Multi-Domain Management (Provider-1) device:

Procedure

  1. Type the following command to access the console as an expert user:

    expert

    A password prompt is displayed.

  2. Type your expert console password. Press the Enter key.
  3. Type the following command:

    csh

  4. Select the wanted customer logs:

    mdsenv <customer name>

  5. Input the following command:

    # nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> 2>&1 &

    Where:

    • <facility> is a syslog facility, for example, local3.
    • <priority> is a syslog priority, for example, info.
    You are now ready to configure the log source in QRadar.

    The configuration is complete. The log source is added to QRadar as the Check Point Multi-Domain Management Provider-1 syslog events are automatically discovered. Events that are forwarded to QRadar are displayed on the Log Activity tab.