Re: Traffic Log-Non Traffic Log(Audit Log) Storage...

maxtaan

I am trying to figure out the storage settings for Audit logs (not traffic logs). However, I can only see a common setting for logs that treats both Audit Logs and traffic logs similarly for 15 days. Can you please confirm if there is any other way via GUI or CLI where we can configure the Audit logs longer (e.g. permanent or 365 days) as per our requirement? Or is there any way to see all-time audit logs via CLI?

If yes, please share the process or any SK.

TIA

AkosBakos

I think, because of the audit log is stored in the same location as the traffic logs, there is chance to handle it separetly. If you run out of space the audit logs will deleted.

The legends will correct me if needed 🙂

Akos

----------------
\m/_(>_<)_\m/

Timothy_Hall

Prior to R80 the audit logs were kept forever with no automatic cleanup mechanism.

Starting in R80 whatever cleanup settings apply to the traffic logs also apply to the audit logs, although there is some conflicting documentation about whether only the audit log indexes are deleted as part of the cleanup process (which just slows down searches of the audit logs & change reports), or if the raw audit logs themselves are deleted too. I'm pretty sure it is the latter but not 100%.

Either way it is possible to configure custom retention values just for the audit logs by hand-editing the log_policy_extended.C file on your log server, please see: https://support.checkpoint.com/results/sk/sk117317

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

Traffic Log-Non Traffic Log(Audit Log) Storage/Collection Separation