This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Contributor
Contributor
Friday
Jump to solution

Infinity log ingestion rate has suddenly and dramatically increased for AM 'event type update'

Hi

We have a customer who is receiving emails from Checkpoint that their log ingestion rate is exceeding 50Gb and that they need to buy more storage.

This started from December - the log ingestion graph shows a flat line of nothing and then it explodes.

The customer is unaware of any changes in the environment.

It references two SK;

SK181096 - How to optimize cloud logs

SK182394 - Cloud log analytic & logging - ingestion/Retention solution.

For the second SK I'm not sure that customers have access to the product catalog(?)

For the first SK we followed the steps to identify the logs with a view to tuning the policy.

However when we filter as described we find that the logs are 100% Low Severity, 98.5% Event type update, 70.63% anti malware blade.

As such there is no matching rule so we cant follow the advice in the SK, we cant see how to prevent this log type from being ingested - does anyone have any ideas?

They are on E88.32.2003.

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
yesterday
Jump to solution

As a bit of background, EPMaaS tenants have a limit on the amount of logs that are allowed to be ingested.
We do not enforce these limits currently, but are expecting to start doing so by the end of Q1.
This is why you are starting to see notifications about it in Infinity Portal.
This is not 100% finalized, so the details might change.

More relevant to the accuracy of the notification itself, it appears (per TAC) the ingestion volume does not seem to be calculating correctly on all tenants.
This is under investigation.

View solution in original post

9 Replies
Peter_Lyndley
Advisor
Advisor
Friday
Jump to solution

yes, i will second that... starting about a week ago , we also started seeing this on some of our customers too. Sorry i dont have an answer for you.

0 Kudos
LazarusG
Contributor
Contributor
Friday
In response to Peter_Lyndley
Jump to solution

thanks for confirming! nice to know its not isolated - well its not 'nice' its happening elsewhere but its at least a sanity check 🙂

0 Kudos
Wolfgang
Authority
Authority
yesterday
In response to LazarusG
Jump to solution

We see exact the same this behavior. No change of the logs since a year, but now these messages. Something changed in the background ?

0 Kudos
PhoneBoy
Admin
Admin
yesterday
Jump to solution

As a bit of background, EPMaaS tenants have a limit on the amount of logs that are allowed to be ingested.
We do not enforce these limits currently, but are expecting to start doing so by the end of Q1.
This is why you are starting to see notifications about it in Infinity Portal.
This is not 100% finalized, so the details might change.

More relevant to the accuracy of the notification itself, it appears (per TAC) the ingestion volume does not seem to be calculating correctly on all tenants.
This is under investigation.

Wolfgang
Authority
Authority
yesterday
In response to PhoneBoy
Jump to solution

We see this not not only for EPMaaS customer. Some Smart1-cloud tenants have the same behavior.

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to Wolfgang
Jump to solution

While I heard about this in the context of EPMaaS customers, Smart-1 Cloud customers also have similar limits that I assume will be enforced in the near future.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to PhoneBoy
Jump to solution

The page to check log usage definitely looks different in the portal now.

Andy

 

Preview file
126 KB
0 Kudos
the_rock
Legend
Legend
yesterday
In response to Wolfgang
Jump to solution

Noticed the same for 2 S1C cloud clients as well.

Andy

0 Kudos
the_rock
Legend
Legend
yesterday
Jump to solution

Noticed that as well in the portal for few customers.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events