https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244065#M47497 <P>cpstat fw -f log_connection will show if you're connected to the log server and how many logs you're sending.</P><P>&nbsp;</P><P>you used to be able to run 'fw log -flnt' on the gateway to dump fw.log file to stdout and "tail" it for new logs. not sure if this still works, or may only work if you are disconnected from the log server so the firewall is logging locally.</P> Tue, 18 Mar 2025 13:00:33 GMT Lloyd_Braun 2025-03-18T13:00:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244018#M47482 <P>Hello, Guys.</P> <P>Is it possible to see the traffic logs through the CLI of a FW, and not from the SmartConsole?</P> <P>I want to see the traffic of a flow, for the last 7 days, at the moment of executing the command (if possible).</P> <P>SOURCE IP: 192.168.59.180<BR />IP DESTINATION: 10.100.100.5<BR />Service: 88<BR />Days: Last Week</P> <P>If it is possible to print the log in the CLI, could you please share the syntax with an example?</P> <P>I don't have access now to the SmartConsole, so I want to try to see if there are relevant logs, standing on the same FW.</P> <P>Greetings.</P> Tue, 18 Mar 2025 04:20:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244018#M47482 Matlu 2025-03-18T04:20:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244021#M47483 <P>The logs aren't stored on the gateways*, they get generated and sent to the log servers. There is an API available for pulling logs from the log server that you can use from its CLI.</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGuide/Content/Topics-LMG/API-for-Logs.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGuide/Content/Topics-LMG/API-for-Logs.htm</A></P> <P>*Unless the log server is offline.</P> Tue, 18 Mar 2025 05:25:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244021#M47483 emmap 2025-03-18T05:25:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244028#M47486 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/82839">@Matlu</a>,</P> <P>you can use the following command:</P> <PRE><CODE class="language-sh">fw log -l -b "June 12, 2024 12:33:00" "June 12, 2024 15:34:00"</CODE> | grep &lt;IP or other parameter&gt;</PRE> <P>or the management API (<A href="https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/show-logs~v2%20" target="_self">Management API Reference</A>) - here is an example:</P> <PRE class="code">mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:Threat Emulation" --format json</PRE> <P>In both cases, you still need to adjust your filters.</P> Tue, 18 Mar 2025 08:02:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244028#M47486 HeikoAnkenbrand 2025-03-18T08:02:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244061#M47495 <P>Hi,</P> <P>The command #fw log....... command, can it be executed in the same GW? <BR />Or is it only executed in the SMS?</P> <P>How can you be sure if the GW is really generating logs?</P> <P>Greetings.</P> Tue, 18 Mar 2025 11:56:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244061#M47495 Matlu 2025-03-18T11:56:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244065#M47497 <P>cpstat fw -f log_connection will show if you're connected to the log server and how many logs you're sending.</P><P>&nbsp;</P><P>you used to be able to run 'fw log -flnt' on the gateway to dump fw.log file to stdout and "tail" it for new logs. not sure if this still works, or may only work if you are disconnected from the log server so the firewall is logging locally.</P> Tue, 18 Mar 2025 13:00:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244065#M47497 Lloyd_Braun 2025-03-18T13:00:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244135#M47513 <P>fw log is executed where the logs are stored (not the gateway unless the connection to management/log server is down).<BR />The cpstat command <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8834">@Lloyd_Braun</a>&nbsp;should tell you what you want.</P> Wed, 19 Mar 2025 00:09:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244135#M47513 PhoneBoy 2025-03-19T00:09:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244136#M47514 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>&nbsp;gave the best option, in my opinion.</P> <P>Otherwise, you can check /var/log/messages files or $FWDIT/log/fw.log file</P> <P>Andy</P> Wed, 19 Mar 2025 00:37:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checking-Logs-from-the-CP-CLI/m-p/244136#M47514 the_rock 2025-03-19T00:37:41Z