Integrate Check Point by using syslog
This section describes how to ensure that the IBM QRadar Check Point DSMs accept Check Point events by using syslog.
To configure Check Point to forward syslog events to IBM QRadar complete the following steps:
- Type the following command to access the Check Point console as an expert
user:
expert
A password prompt appears.
- Type your expert console password. Press the Enter key.
- Open the following file:
/etc/rc.d/rc3.d/S99local
- Add the following lines:
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &
Where:
- <facility> is a syslog facility, for example, local3.
- <priority> is a syslog priority, for example, info.
For example:
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &
- Save and close the file.
- Open the syslog.conf file.
- Add the following line:
<facility>.<priority> <TAB><TAB>@<host>
Where:
- <facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.
- <priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.
<TAB> indicates you must press the Tab key.
<host> indicates the QRadar Console or managed host.
- Save and close the file.
- Enter the following command to restart syslog:
- In Linux®: service syslog restart
- In Solaris: /etc/init.d/syslog start
- Enter the following command:
nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &
Where:
- <facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.
- <priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.
The configuration is complete. The log source is added to QRadar as Check Point syslog events are automatically discovered. Events that are forwarded to QRadar are displayed on the Log Activity tab.