Support Center > Search Results > SecureKnowledge Details
Gaia OS syslogd daemon and Check Point syslog daemon can not run simultaneously
Symptoms
  • The Gaia OS syslogd daemon on the Security Management Server / Domain Management Server / Log Server fails to start in the following scenarios (refer to sk102995):

    1. Security Management Server was configured to accept syslog messages:
      1. In SmartDashboard, open the object of Security Management Server / Domain Management Server - "Logs" menu - "Additional Logging Configuration" - check the box "Accept Syslog messages" - click on OK.
      2. Go to "Policy" menu - click on "Install Database" - select all objects.
    2. Gaia OS on Security Management Server was configured to forward the received syslog messages to another Syslog server:
      • Either in Gaia Portal:
        Go to "System Management" pane - "System Logging" - click on "Add" - enter the IP address of another Syslog server - select the severity level of the logs - click on OK.
      • Or in Gaia Clish:
        HostName> add syslog log-remote-address <IP_Address_of_Another_SysLog_Server> level <SEVERITY>
        HostName> set syslog filename <PATH_AND_FILE>
        HostName> set syslog cplogs on
        HostName> set syslog mgmtauditlogs on
        HostName> set syslog auditlog permanent
        HostName> save config

    Topology: Security Gateway sends its syslog messages to Management Server / Log Server, which forwards them to another Syslog server

  • The output of "ps auwx | grep syslog" command on the Management Server / Log Server shows the Gaia OS syslogd daemon in the <defunct> state.

    Example:
    [Expert@HostName]# ps auwx | grep -E "PID|syslog"
    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    admin     5911  0.0  1.1 185152 23544 ?        S    Mar30   3:41 syslog 514 all
    admin     6417  0.0  0.0   1664   400 pts/3    S+   10:12   0:00 syslogd -m 0 -z 515 -P info -f /var/run/syslog.conf 
    admin     6418  0.0  0.0      0     0 ?        Zs   10:12   0:00 [syslogd] <defunct>
    
Cause

When the box "Accept Syslog messages" is checked, the Check Point syslog daemon will run and listen to port 514  on the Management Server / Log Server.

When the Gaia OS syslogd daemon on the Management Server / Log Server is configured to forward syslog messages, it will also try to listen to port 514.

By design, the Check Point syslog daemon restarts the Gaia OS syslogd daemon, so that Check Point syslog daemon can bind to port 514.

When the Gaia OS syslogd daemon fails to bind to port 514, it tries to exit and becomes defunct.


Solution
Note: To view this solution you need to Sign In .