topic Re: Logs statistics in Firewall and Security Management

Logs statistics

sarangoj — Fri, 14 Aug 2020 13:55:07 GMT

Hi everyone!, I hope you're feeling very well.

Firts thanks for yours replies, I'm new at this, I'm learning.

I have some log files I need to study to refine the firewall rules. Do you know of any software I can install on my computer where I can upload these files and look at the statistics?

Re: Logs statistics

PhoneBoy — Fri, 14 Aug 2020 19:46:20 GMT

The log files are a proprietary binary format that can only be read by a Check Point Management/Log Server.
If you want to view them offline, you’d basically have to set up a separate management server with those logs imported.

Re: Logs statistics

Tal_Paz-Fridman — Sat, 15 Aug 2020 18:14:19 GMT

You can also connected to your Security Management Server with SmartConsole using Read Only credentials or have your administrator set up a dedicated administrator with only the relevant permissions.

Another option would be to connect to SmartView Log Browser for viewing the logs -> https://<management_server>/smartview/

HTH

Tal

Re: Logs statistics

sarangoj — Tue, 18 Aug 2020 13:00:42 GMT

Thanks PhoneBoy, u can recommended me a sotfware?

Re: Logs statistics

sarangoj — Tue, 18 Aug 2020 13:04:05 GMT

Hello Tal_Peace_Fridman, thank you for responding. How could I load these logs that are no longer on the physical device so that I can view them again on the smartview web and see the statistics there? Thank you

Re: Logs statistics

G_W_Albrecht — Tue, 18 Aug 2020 13:19:52 GMT

SmartView is unable to load logs. The logs have to be on the SMS to be viewed in SmartLog (after indexing), SVTracker (with an open file... option) or elsewhere. To transfer and use the logs on the SMS, see SMB security log files that speaks about SMB logs viewed on SMS. Also read sk39573: How to read a Check Point log file in its native format and sk92920: How to open FireWall log (fw.log) from a different Security Management Server in SmartView Tracker.

Re: Logs statistics

sarangoj — Tue, 18 Aug 2020 13:28:44 GMT

Thanks G_W_Albrecht, I'll take a look at it, if I have problems can I ask you?

Re: Logs statistics

G_W_Albrecht — Tue, 18 Aug 2020 13:43:14 GMT

You can post here...

Re: Logs statistics

Tal_Paz-Fridman — Tue, 18 Aug 2020 18:02:07 GMT

Hi again

You can use SmartView Web Browser by connecting to the Security Management Server that holds the original files or as I wrote, connecting with Read Only SmartConsole.

This will save you the need to load the files to another machine.

Tal

Re: Logs statistics

sarangoj — Tue, 18 Aug 2020 20:21:47 GMT

Tal_Paz-Fridman thank you very much for helping me, could you explain me how to make these two options or provide me with material to study it?. again thank you and I remain attentive.

Re: Logs statistics

Tal_Paz-Fridman — Wed, 19 Aug 2020 07:53:48 GMT

In SmartConsole go to Manage & Settings > Permissions and Administrators > Administrators

Define a new Administrator and use the Read Only All Permission Profile

Now when you login using the new Administrator to the Security Management Server you can view the Rules and Logs but without have the option to change anything, just to analyze the logs and rules.

Re: Logs statistics

G_W_Albrecht — Wed, 19 Aug 2020 08:52:30 GMT

Or, after defining the new Administrator, connect in browser to https://<SMS_IP>/smartview/ and log in there !

Re: Logs statistics

sarangoj — Thu, 20 Aug 2020 16:22:46 GMT

Hi again, thanks.

Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.

Re: Logs statistics

sarangoj — Thu, 20 Aug 2020 16:23:19 GMT

Hi again, thanks

Re: Logs statistics

Dror_Aharony — Thu, 03 Sep 2020 06:57:25 GMT

Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.

follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk111766&partition=Advanced&product=SmartLog),

and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.

cp $INDEXERDIR/data/FetchedFiles{,.Orig}

rm -f $INDEXERDIR/data/FetchedFiles

then start it (evstart)

Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.

This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).

which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).

if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.

Re: Logs statistics

sarangoj — Mon, 07 Sep 2020 12:54:20 GMT

Thanks bro I done!

Re: Logs statistics

Dror_Aharony — Mon, 07 Sep 2020 13:11:41 GMT

No problem.
Glad I could help:)