topic Re: Smartview log export in Firewall and Security Management

Smartview log export

dkzndkqh — Thu, 23 Oct 2025 02:31:07 GMT

I understand that in SmartView, the number of logs that can be exported at one time is currently limited to 1,000,000. Is there any way to work around this limitation? We are currently dealing with a ransomware incident and need to perform a full log investigation, so even if we filter the logs, exporting just one day’s worth would exceed 1,000,000 logs in just one hour. Alternatively, is there a more effective method to handle this?

Re: Smartview log export

Tal_Paz-Fridman — Thu, 23 Oct 2025 04:36:31 GMT

Perhaps CLI options might work:

https://support.checkpoint.com/results/sk/sk118519

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Content/Topics-SECMG/CLI/fwm-logexport.htm

https://support.checkpoint.com/results/sk/sk118521

Re: Smartview log export

Blason_R — Thu, 23 Oct 2025 05:52:23 GMT

Did you try with mgmt_cli? I always export the logs using the same filter and then using jq with csv its the faster one

Re: Smartview log export

dkzndkqh — Thu, 23 Oct 2025 06:49:37 GMT

Could you share the commands or filters you are using?

Re: Smartview log export

Blason_R — Thu, 23 Oct 2025 07:28:11 GMT

The filters are same as you give on smartlog command would be

For example to filter port 587

mgmt_cli show logs new-query.time-frame "today" new-query.filter "service:TCP_587 AND blade:Firewall"

Output in json

mgmt_cli show logs new-query.time-frame "today" new-query.filter "service:TCP_587 AND blade:Firewall" --format json > /tmp/test.json

Then edit with jq or jq -r to get the desired output in csv

Or Directly convert those in csv using cplgv.exe from C:\Program Files (x86)\CheckPoint\SmartConsole\R82\PROGRAM and select export option to choose log file name

or if you want to specifically select then

use fw log command for particular log file from $FWDIR/log and then fitler the traffic for Accept or Drop or use grep accordingly

Re: Smartview log export

dkzndkqh — Thu, 23 Oct 2025 07:40:25 GMT

What I want to do right now is extract data such as Time, Destination, Source User Name, Rule, Interface Direction, Policy Rule UID, Type, Interface, Source User DN, Machine Name, App Protocol, context_num, Policy Date, Service ID, Action, ID, Interface Name, Layer Name, Source Port, Product Family, Blade, Direction of Connection, lastupdatetime, Sequence Number, Source, Policy Name, id_generated_by_indexer, Database Tag, Log Server Origin, Service, connection_id, Origin, Marker, Destination Port, Protocol, High Level Log key, logid, sig_id, User, first, Policy Management, Destination Machine Name, and I want the values to be properly aligned in the corresponding columns when opened in Excel, just like when exporting from SmartView. Is that possible?

Re: Smartview log export

Blason_R — Thu, 23 Oct 2025 07:46:55 GMT

Then you should use cplgv and export in csv

OR do that for every file then

fw log -l -n -p /opt/CPsuite-R81.20/fw1/log/2025-09-03_000000.log > /tmp/test.log

Re: Smartview log export

dkzndkqh — Thu, 23 Oct 2025 08:44:24 GMT

ChatGPT의 말:

When I run fw log , the file size ends up being in the gigabyte range. is that right ..?

Re: Smartview log export

the_rock — Thu, 23 Oct 2025 13:59:31 GMT

Might be worth TAC case to confirm.

Re: Smartview log export

Bob_Zimmerman — Thu, 23 Oct 2025 15:45:39 GMT

That seems small. For me, 'fwm logexport' usually goes from a 2 GB original file to about 35 GB of text. I wrote a post a while ago about how I deal with exported log data.

Re: Smartview log export

the_rock — Thu, 23 Oct 2025 18:47:51 GMT

Gb range, sounds right.

Re: Smartview log export

Lesley — Thu, 23 Oct 2025 19:48:03 GMT

Log exporter -> https://support.checkpoint.com/results/sk/sk122323

In combination -> how to export old logs with log exporter -> https://support.checkpoint.com/results/sk/sk183376

Re: Smartview log export

PhoneBoy — Fri, 24 Oct 2025 01:35:03 GMT

Having SmartView export more than 1 million records at a time is an RFE.

Repeated, tightly scoped queries to the get-logs API endpoint piped through jq can format the output in CSV, if you want to go that route.
Not sure it's possible to specify a date range in the query in SmartView (maybe @Tomer_Noy knows).