topic Re: Old log files not deleted on MDM server in Firewall and Security Management

Old log files not deleted on MDM server

Martijn — Mon, 16 Jan 2023 10:51:38 GMT

Hi All,

I have a MDM server on R81.10 take 79 and disk is getting full because old log files are not deleted.

In the past, you had to edit a configuration file, but I was told you could configure a log policy from the MDM server object in SmartConsole. So that is what I did.

It does not make any difference what I configure in SmartConsole. The /var/log partition is getting full and I need to manually remove files. I even installed the database on the CMA's after changing the settings in SmartConsole in the MDM server object.

Not sure what I am missing here. Followed the MDM admin guide.

Regards,
Martijn

Re: Old log files not deleted on MDM server

Chris_Atkinson — Mon, 16 Jan 2023 11:19:25 GMT

Are there logs still in folders pertaining to old versions? Those won't get culled by the SmartConsile config iirc.

Re: Old log files not deleted on MDM server

Amir_Senn — Mon, 16 Jan 2023 11:31:38 GMT

Hi Martijn,

If you changed a file in the past this might cause the issue because if you change definitions from the files it will override SmartConsole settings.

I would check if you have the following file: $FWDIR/conf/log_policy_extended.C . If so, you can try to change the name and re-install DB on CMA. (mv $FWDIR/conf/log_policy_extended.C $FWDIR/conf/log_policy_extended.C.ORIG )

You can verify what are the definitions loaded to the CMA by looking at fwd.elg of that CMA, look for difference between "loaded set" which is what the definitions try to load and "working set" are the definitions that actually gets enforced.

I think this will help you solve the issue or lead you in the right way.

Re: Old log files not deleted on MDM server

Martijn — Mon, 16 Jan 2023 13:26:08 GMT

Amir,

Thanks!!! That was the issue.

I performed a clean R81.10 install for this MDM server, but imported the MDM database. Forgot all about this file we have changed in the earlier versions.

I renamed the log_policy_extended.C file and performed a mdmstop/mdsstart. After that, I could the the log_policy.C files was the current policy in fwd.elg and free disk space increased.

Regards,
Martijn

Re: Old log files not deleted on MDM server

Tal_Paz-Fridman — Mon, 16 Jan 2023 13:38:14 GMT

Hi @Amir_Senn

I think we should add an SK for this (if one does not currently exist)

Re: Old log files not deleted on MDM server

Amir_Senn — Mon, 16 Jan 2023 13:55:23 GMT

I think that SK117317 covers it pretty good (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk117317&partition=Advanced&product=SmartEvent).