Q4: Send Check Point firewall logs to syslog endpoint

[wrnu]

Describe the issue Configure Check Point firewalls to send logs to SysLog server.

We want to save checkpoint firewall logs and make them available to the OpenSearch SIEM. Check Point does not have a CloudWatch logging agent in the AMI but does support sending logs to a sys log endpoint. The SEA was designed to have an Rsyslog proxy endpoint in the Operations account for this purpose (originally for Fortigate).

Additional context

• Notes from conversation with Ryan J
  • we can forward CP FW logs to a syslog endpoint there is a rsyslog NLB in Operations.
  • we would have to create an endpoint service in operations and then create an endpoint in the inspection vpc in the perimeter account
• CP syslog config may be done through the AMI userdata startup script

Definition of done

• Check Point firewalls are configured to send logs to syslog
• Logs are visible in SIEM

[ActionAnalytics]

Waiting for capability coming in Q4 that would work instead of us hacking together a wobbly solution

[lukegonis]

@NickCorcoran can you please review this issue and determine if it is still a valuable thing to pursue? We need private link endpoint service to support UDP.