Share via

Checkpoint Firewall syslog configuration?

David Broggy 6,291 Reputation points MVP Volunteer Moderator
2022-10-05T14:17:24.313+00:00

Hi there,
Has anyone recently configured Checkpoint Firewalls to log to Sentinel via syslog?
I'm getting 'max length exceeded'
I'm not sure if there are recommendations on a way to reduce the fields in the logs or if there's some other issue that I can configure in rsyslog.
Thanks for your help.

Microsoft Security | Microsoft Sentinel

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 6,291 Reputation points MVP Volunteer Moderator
    2022-11-03T13:55:37.393+00:00

    Hi Givary,
    The problem was the client was adding too many of the available fields to the logging policy on the Checkpoint side.
    Once he backed it off to the recommended fields all was ok.

    0 comments
  2. Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator
    2022-11-04T03:32:26.043+00:00

    @David Broggy

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Answered by David (@David Broggy ) :

    The problem was the client was adding too many of the available fields to the logging policy on the Checkpoint side.
    Once he backed it off to the recommended fields all was ok.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.