topic Log file retrieval in Firewall and Security Management

Log file retrieval

Ihenock1011 — Sat, 21 Dec 2024 06:20:51 GMT

Hi All,

Our SMS doesn't show logs after 15 days. However, I observed logs in the /var/log/opt/CPsuite-R81.10/fw1/log directory. How can I retrieve these logs and have them displayed on the Smart Console?

Thanks

Re: Log file retrieval

Lesley — Sat, 21 Dec 2024 09:12:09 GMT

I think these are the index logs. Under the relevant object in SmartConsole you can open it and see under logs what days have been set there. If this matches the 15 says it means it works as it should. Can you confirm if you search logs you can search further back then 15 days? It could be a bit slower if you search further back of time. This is normal. index logs makes searching more quick but use more disk space.

Re: Log file retrieval

AkosBakos — Sat, 21 Dec 2024 15:35:40 GMT

Hi @Ihenock1011

I thought, you checked the avaialble space on the partititon etc...

But befere you dig into the debugging, run #evstop then #evstart command. I can solve a lot ot indexing problems.

Here is an SK about how to reindexing logs:

https://support.checkpoint.com/results/sk/sk164553

Be careful, I takes time 🙂

Akos

Re: Log file retrieval

HeikoAnkenbrand — Sat, 21 Dec 2024 19:15:24 GMT

To retrieve logs from the /var/log/opt/CPsuite-R81.10/fw1/log directory and display them on the Smart Console, you can use the fw fetchlogs command. Here’s how you can do it:

1) List Available Logs: First, list the available log files on your Management Server using the following command:

[Expert@HostName:0]# fw lslogs MyGW

This will show you the log files available for fetching.

2) Fetch Specific Log Files: Use the fw fetchlogs command to fetch the desired log file. Replace 2024-06-01_000000 with the actual log file name you want to fetch:

[Expert@HostName:0]# fw fetchlogs -f 2024-06-01_000000 MyGW

3) This command will fetch the specified log file from the Management Server.

Verify Log Files: After fetching, verify that the log files are present in the $FWDIR/log directory:

[Expert@HostName:0]# ls $FWDIR/log/MyGW*

4) Check Smart Console: Once the logs are fetched, they should be available in the Smart Console under Logs & Monitoring.

If you encounter any issues with logs not appearing in Smart Console, it might be due to a corrupted log indexing database. In such cases, you may need to clear or reset the log indexing database. For detailed steps on this, refer to this solution sk168812 .

Re: Log file retrieval

Amir_Senn — Sun, 22 Dec 2024 12:34:55 GMT

Most likely the thing to check.

You can also see your current index retention value with "cat $FWDIR/conf/log_policy.C | grep -i index_delete_older_than_value".

Or on the Management/dedicated log server under Logs -> Storage -> under "Daily Logs Retention Configuration":

Re: Log file retrieval

Ihenock1011 — Mon, 23 Dec 2024 06:22:17 GMT

When I search logs back 15 days, I am unable to retrieve them. I managed to open the log files older than 15 days : go to "Logs," then click on the three lines, select "File," open "Logfiles," and navigate to the specific date I looking for.

Re: Log file retrieval

Amir_Senn — Mon, 23 Dec 2024 11:29:09 GMT

This validates it's indexing related. Try to search the things I mentioned in the post and see if you save indexes only for 14 days (which is the default with "Daily Retention" turned on).