This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Lynch
Participant
‎2017-11-21 02:50 PM

Log rotation in R80.10

We recently replaced an R77.30 management server with R80.10. Since then our configured log rotation schedule is being ignored. We have it set to rotate firewall log files on Tues and Thurs at 11pm, but it's *also* rotating the log files at every midnight. Is this a new "feature"? (If so, it doesn't exist in any documentation anywhere.) Can it be over-ridden? I want no more than two log files per week.

Thanks

11 Replies
PhoneBoy
Admin
Admin
‎2017-11-21 03:40 PM

This was discussed in a previous thread: Disabling the built-in Logswitch on R80 SMS at midnight?

It's also confirmed in the following SK: R80.x Security Management/Log Server runs logswitch nightly at 12:00:00 AM 

Dan_Lynch
Participant
‎2017-11-21 04:55 PM

SK119794 is literally the only place this behavior is mentioned. It's not included in the Security Management Admin guide, the Logging and Monitoring Admin guide, the R80 intro (sk108623), the R80 Known Limitations (sk108624), nor in any of the logging kb articles I can find. Even though it apparently affects all versions 80.x, it went completely undocumented from R80's release in March of '16 until sk119794  was published in Aug. of '17.

That's rather disappointing.

PhoneBoy
Admin
Admin
‎2017-11-21 10:40 PM
In response to Dan_Lynch

While I agree this could have been documented sooner, I am curious about the specific use case where only two log files a week is desirable.

Note that by default, all logs are indexed in R80.x, which reduces the need to reference a specific log file, such as was required with SmartView Tracker.

0 Kudos
Dan_Lynch
Participant
‎2017-11-22 09:03 AM
In response to PhoneBoy

Tracker is sometimes preferable to SmartLog. Twice weekly is simply a good balance for us between query speed and having relevant/recent log entries available. In addition, our data retention policies require us to separately archive firewall logs for 60 days. It's easier to manage eight log files/month than 30. I'd prefer four, but they get unwieldy large.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-22 10:03 AM
In response to Dan_Lynch

Understand that while the binaries for SmartView Tracker are still included in R80 and R80.10, it has been deprecated and may be removed in a future release.

If there is specific functionality that you can't achieve in SmartLog R80.x, it's worth a separate thread to discuss. 

victor_vidal
Explorer
‎2018-09-25 09:19 AM
In response to PhoneBoy

I have just upgrade our Provider-1 to R80.10 and I had discovered this topic.

Reading SK119794 I assume there is a logswitch at midnight ¿and/or at 2Gb?

On the other hand, we are storing logs for at least 2 years due to legal requirements.

If SmartView Tracker may be removed in a future release, which could be the best practice to store logs?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-25 03:49 PM
In response to victor_vidal

Yes, we auto-switch at midnight and/or 2GB, whichever comes first.

You can still archive the logs the same way as with previous releases (i.e. copy off the files from $FWDIR/log) and they can be read in and reindexed.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-09-26 05:24 AM
In response to PhoneBoy

Dameon,

I noticed this behavior was also occurring on Audit logs now, can you disable those separately?

1 audit file is mostly more than enough per Domain.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-26 07:36 AM
In response to Maarten_Sjouw

These log rotations cannot be disabled to the best of my knowledge.

Alex_Tasker1
Explorer
‎2018-03-15 10:31 AM
In response to PhoneBoy

I'm certain that there are intermediate cases but I have a use case where any log switching at all is unnecessary and inconvenient - CMAs which don't receive traffic logs. These can go for years without the .adtlog getting too large.

I'm here because I have a script which reports on policy install operations etc and now will have to enhance it to determine which files to iterate over for a given period. 

... unless it's possible to query SmartLog from the command line?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-15 12:27 PM
In response to Alex_Tasker1

Logs are currently not queryable through the CLI.

If you want to see when the gateway last received a policy (either through fetch or push), the command cpstat -f policy fw (from the gateway) will tell you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events