topic Re: Messages with /var/log in General Topics

Messages with /var/log

Olusegun_Adekun — Tue, 05 Dec 2023 12:28:00 GMT

Hi All,

Can the messages file be removed/deleted from /var/log without any consequences.

Trying to upgrade Firewall from R81.10 to R81.20 and the /var/log partition is 90% full.

I could also see a lot of .elg files within $FWDIR/log. Can this also be removed/deleted without any consequences?

Thanks Always

Kind Regards,

Olu

Re: Messages with /var/log

Tal_Paz-Fridman — Tue, 05 Dec 2023 12:45:39 GMT

1| Check if you have crash of dump files which usually take a lot of space:

/var/log/crash/

/var/log/dump/usermode/

2| As for elg files you can usually delete the ones with a number a the end, for example:

cpm.elg.1
cpm.elg.10
cpm.elg.11
cpm.elg.12
cpm.elg.13
cpm.elg.14
cpm.elg.15
cpm.elg.2
cpm.elg.3
cpm.elg.4
cpm.elg.5
cpm.elg.6
cpm.elg.7
cpm.elg.8
cpm.elg.9

(but it means that debug information will be lost if needed)

3| Please also look at log retention and cleanup settings on the object (in SmartConsole)

Re: Messages with /var/log

Olusegun_Adekun — Tue, 05 Dec 2023 12:59:55 GMT

Hi Tal,

Thanks for you swift response.

The var/log/crash is actually fast empty only 4.0k

Can I delete the messages with numbers as well.

messages.1

messages.2

etc

Regards,

Olu

Re: Messages with /var/log

Tal_Paz-Fridman — Tue, 05 Dec 2023 14:36:03 GMT

Yes but I do not think they will save you that much space.

Perhaps you could increase disk space or change partitions?

https://support.checkpoint.com/results/sk/sk95566

Re: Messages with /var/log

Olusegun_Adekun — Tue, 05 Dec 2023 16:12:46 GMT

Thanks. Appreciate.

Re: Messages with /var/log

Bob_Zimmerman — Tue, 05 Dec 2023 16:42:29 GMT

I agree with Tal, it is extremely unlikely deleting /var/log/messages files and elg files will free much space. Even with extreme levels of logging, those files collectively should never take up even a whole gigabyte.

Instead, look in $FWDIR/log at firewall logs. This is the common set of files per day of log data:

2023-11-25_000000.adtlog 2023-11-25_000000.adtlogaccount_ptr 2023-11-25_000000.adtloginitial_ptr 2023-11-25_000000.adtlogptr 2023-11-25_000000.log 2023-11-25_000000.logaccount_ptr 2023-11-25_000000.loginitial_ptr 2023-11-25_000000.logptr

They may be rotated multiple times per day, depending on your traffic log volume. For example, they automatically rotate when the traffic log hits 2 GB. I have one environment which gets over 40 GB of log data per day, so the files rotate a lot.

After traffic logs, the next big items are core dumps as Tal mentioned, then CPUSE packages (check 'installer delete' in clish to see what packages you can delete. Backups saved to /var/log/CPbackup and snapshots exported to /var/log/CPsnapshot also take up a lot of space. Note that snapshots you don't export don't take up any space in the filesystem (they are stored in unallocated space in the drive).

Re: Messages with /var/log

the_rock — Tue, 05 Dec 2023 19:30:19 GMT

Please send output of below...it will show any files in /var/log bigger than 500M

Andy

from expert mode -> find /var/log -size 500M

Also, make sure fw is NOT logging local by doing this:

watch -d ls -lh $FWDIR/log/fw.log

Output should always show 8.2K, which is default fw size for this file, as logs would always be sent to the mgmt server (unless its standalone box, which literally no one I know uses)

Best regards,

Andy

From my lab:

[Expert@CP-gw:0]# cd $FWDIR/log
[Expert@CP-gw:0]# ls -lh fw.
fw.adtlog fw.adtlogaccount_ptr fw.adtlogptr fw.logaccount_ptr fw.logptr
fw.adtlogLuuidDB fw.adtloginitial_ptr fw.log fw.loginitial_ptr fw.logtrack
[Expert@CP-gw:0]# ls -lh fw.log
-rw-rw---- 1 admin root 8.2K Nov 28 00:00 fw.log
[Expert@CP-gw:0]#