Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nick_Doropoulos
Advisor

Best practice for storing packet captures/debug files etc

During troubleshooting, a series of files can be generated (packet captures, cpinfo files, debug logs etc.). The problem with all of those files is that unless the administrator either deletes those files manually or with a cronjob, they end up consuming a lot of disk space.

So my question is, what is Check Point's recommendation on where to store such files? Would it be advisable to store them inside the /tmp directory or the $FWDIR/tmp one instead where I believe the files included there get cleared upon reboot? Or is there a best practice that I could be referred to?

Many thanks in advance.

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend

Out of my experience, such logs are gathered manually (if we exclude automatic packet captures). After switching off the debugs or end of troubleshooting, i would suggest to copy the debug / cpinfo / fw monitor files to another place to be able to store it for the needed time and delete them from the GW / SMS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Kaspars_Zibarts
Employee Employee
Employee

Agreed. Typically /var/log is the biggest partition so you might want to consider that when saving logs locally instead of using /home/xxxxx

G_W_Albrecht
Legend Legend
Legend

Also, using CLI # df will show that /var/log has the most free space available, so usually i direct debug output to the /var/log/tmp directory...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Nick_Doropoulos
Advisor

Would it be a good idea then to create a "dedicated" subfolder inside the /var/log/ directory just to store troubleshooting-related items? This would theoretically be easier to manage with a cron job automatically without the slightest possibility of affecting any other files?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Looks like a good idea to me - i can delete the content of /var/log/tmp but i do not know if any deleted item will later be missed 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Nick_Doropoulos
Advisor

Thanks very much gents!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events