Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Egor_Cherkasov
Contributor

How to decrease a usage of /dev/mapper/vg_splat_lv-log

Hello Checkmates,

there is the promlem and I cannot still understand what is the folder /dev/mapper/vg_splat_lv-log , which is mounted in /var/log/ resposible for?

There is a screenshot , where you can see that the /var/log/ folder is quickly filling.

During the last 7 days the usage has increased from 53% to 63%.

I guess that is a very rapid and anomaly behaviour.

Advise please how to solve this problem with quick filling.

Can I do something and solve this problem?

Thank you very much!

0 Kudos
17 Replies
HeikoAnkenbrand
Champion Champion
Champion

Enlarge the partition. More see here:

Managing partition sizes via LVM manager on Gaia OS 

➜ CCSM Elite, CCME, CCTE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Or this very nice doku to add an disk:

https://community.checkpoint.com/message/32132-how-to-add-a-new-disk-and-expand-the-log-file-system 

➜ CCSM Elite, CCME, CCTE
0 Kudos
Egor_Cherkasov
Contributor

Thank you for a quick answer, but does that mean that all the files in that folder are necessary and we cannot remove some of them?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Delete old log files from management server.

$FWDIR/log is a S-Link to this directory in /var/log/.

for R80.10:       /var/log/opt/CPsuite-R80.10/fw1/log/

for R80.20:       /var/log/opt/CPsuite-R80.20/fw1/log/

Here you can delete old logs from SmartLog after the date.

➜ CCSM Elite, CCME, CCTE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

For example for the 2019-01-20

# cd /var/log/opt/CPsuite-R80.10/fw1/log

# rm 2019-01-20*

You can also use "cd $FWDIR/log/"

➜ CCSM Elite, CCME, CCTE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Or all logs for January 2019

# cd /var/log/opt/CPsuite-R80.10/fw1/log/

# rm 2019-01*

➜ CCSM Elite, CCME, CCTE
0 Kudos
Egor_Cherkasov
Contributor

  Yes, I've understood your very useful information, once again thank you!

0 Kudos
Vincent_Bacher
Advisor
Advisor

or

find $FWDIR/log -type f -name '201*' -mtime +30 -exec rm {} \;

for such files older than 30 days Smiley Happy

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
HeikoAnkenbrand
Champion Champion
Champion

https://community.checkpoint.com/people/8221a355-5448-47cb-9c8a-d5f330a5909c - Nice one liner!

Comes into my CLI one liner collection!

➜ CCSM Elite, CCME, CCTE
maja
Explorer

Hello! Does it need to reboot the Sec Mgmt to take affect of the freed space? Have the same issue, deleted old logs, but no space is freed.

thank you,

0 Kudos
Wolfgang
Authority
Authority

This directory holds all logs. Logs from your gateways and all logs of your managementserver. Regarding the amount of your logged traffic this is normal behaviour. Extending the partion Heiko mentioned is the best solution.

Wolfgang

0 Kudos
Vincent_Bacher
Advisor
Advisor

If the log is not filled up by normal logs, maybe a debug is running and forgotten to turn off?
So maybe some *.elg files permanently growing?
then
fw ctl debug 0
could help
Or if the files are vpnd.elg and ike.elg
vpn debug truncoff
could help

If it's just old log data, you ma delete the oldest if not needed.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Egor_Cherkasov
Contributor

Do you mean to use RemoveOldVersion.tar script by Check Point?

0 Kudos
Vincent_Bacher
Advisor
Advisor

No, old logfiles. SMS is usually rotating logs renaming the old files using timestamp ath the beginning.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

Just have a look at Heikos descriptions above Smiley Happy

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Egor_Cherkasov
Contributor

Thank you gentlemen!

I am going to try this approach.

0 Kudos
_Val_
Admin
Admin

Just make sure you do not delete logs you have to keep 🙂

I would rather suggest archiving those, sending to an external location via ftp or sftp and then remove

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events