This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
‎2024-09-17 07:20 AM
Jump to solution

Weird behaviour with SMS logs

Hi community,

 

I have a test SMS I am using in a lab. It is a new SMS, so it has default configuration. When seeing the log section, I can see this:

log1.PNG

The first strange thing I see is the "Log File: Latest Log File" in the log search bar. Normally I don't see this in production SMS. And when I click on this I see the following:

log2.PNG

It seems there are three files, and every file is when I turned off the SMS. Is this normal behaviour? Is there a way to see all the logs the SMS has collected directly without searching in different files?

 

Regards,

Julián

 

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-09-17 07:26 AM
Jump to solution

Hi - What version are you using?

Is Log Indexing enabled?

View solution in original post

7 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-09-17 07:26 AM
Jump to solution

Hi - What version are you using?

Is Log Indexing enabled?

fjulianom
Advisor
‎2024-09-17 07:40 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi,

This is R81.10. It has default configuration, so if Log Indexing is disabled by default, it is disabled. I saw this in the documentation:

Enabling Log Indexing
Log indexing on the Security Management ServerClosed or Log ServerClosed reduces the time it takes to run a query on the logs. Log indexing is enabled by default.

In a standaloneClosed deployment, log indexing is disabled by default. Enable log indexing only if the standalone server CPU has 4 or more cores.

 

So, a little bit ambiguous. I checked and it was disabled. I have enabled and now ir working as expected.

 

Thank you very much,

Julián

0 Kudos
fjulianom
Advisor
‎2024-09-18 01:05 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi Tal,

 

One more little question about this. I enabled Log Indexing, and the default configuration is like this:

logindex.PNG

If I don't enable "Apply the following logs retention policy", how many days will the indexed logs be kept?

 

Regards,

Julián

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-09-18 01:12 AM
In response to fjulianom
Jump to solution

This depends on disk size and the setting you configured above it (when to start removing logs).

Note index logs are quicker to search but they also take more disk space. Most of the time if you check for logs you only go back couple hours / days and not weeks. And if you want it will only be a bit slower.

-------
Please press "Accept as Solution" if my post solved it 🙂
fjulianom
Advisor
‎2024-09-18 01:20 AM
In response to Lesley
Jump to solution

Hi,

 

Reading again I am a bit confused. If I enable the checkbox and leave the default, When it says "Keep indexed logs for no longer than 14 days", will it mean will start deleting logs older than 14 days?

 

Regards,

Julián

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-09-18 01:24 AM
In response to fjulianom
Jump to solution

I dont want to paste the whole story here but if you press the ? mark in the screenshot you send they explain a lot also with examples. If that is unclear let us know. 

-------
Please press "Accept as Solution" if my post solved it 🙂
fjulianom
Advisor
‎2024-09-18 01:51 AM
In response to Lesley
Jump to solution

Hi,

 

Thanks, more clear looking at the examples. Also because the screenshot I pasted can lead you to misunderstanding. The window that pops-up when you press the ? mark has a different wording. The screenshot I pasted says "Keep indexed logs for no longer than 14 days", and the window that pops-up says "Delete index files older than <number> Days ". The first insinuates to delete logs, the second insinuates to delete index files, which is not the same.

 

Regards,

Julián

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events