Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

CPLogInvestigator issue

Hi there!

Can anyone comment and suggest remediation for this:

We are running a security checkup on CP provisioned all-in-one Management and Gateway (15400).

All of a sudden, log retention dropped to two days.

Looking at CPlogInvestigator, I am seeing:

 

[Expert@gw-4332cc:0]# ./CPLogInvestigator
CBinaryFile::Open: exit status false
CMappedBinaryFile::error opening file /opt/CPsuite-R80.30/fw1/log/static_analysis.log
CLogFile::Open2: error: open (/opt/CPsuite-R80.30/fw1/log/static_analysis.log) for reading failed
Invalid log file: /opt/CPsuite-R80.30/fw1/log/static_analysis.log


Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log from log 0

..........................
Reading log file is DONE.

Start reading log file: /opt/CPsuite-R80.30/fw1/log/2020-01-09_090503_952.log

Start reading log file: /opt/CPsuite-R80.30/fw1/log/2020-01-09_090503_952.log from log 0

....................
Reading log file is DONE.


Total scanned 8619134 logs out of 12547661 logs in file
Scanned logs dates are from 09-01-2020 07:51:24 to 09-01-2020 09:29:30
Observed blades:
- Anti Malware
- Application Control
- IPS
- N/A
- New Anti Virus
- URL Filtering
- VPN-1 & FireWall-1

========================================

Summary - Estimations based on findings:

Log file size per day: 64.0486GB (126519398 logs)

Estimated events per day:
- Estimated events per day based on active blades: 1232090

Storage required per day:
- SmartEvent: 5.7374GB
- Log Server: 64.0486GB
- Log Server + SmartLog: 128.0973GB

Please refer to sk87263 to use these metrics and size your SmartEvent solution. The SK can be found at Check Point's Support Center :
https://supportcenter.checkpoint.com/supportcenter/index.jsp

 

But just a few minutes earlier, I've been seeing numbers roughly half of those shown above:

[Expert@gw-4332cc:0]# ./CPLogInvestigator -a -p
CBinaryFile::Open: exit status false
CMappedBinaryFile::error opening file /opt/CPsuite-R80.30/fw1/log/static_analysis.log
CLogFile::Open2: error: open (/opt/CPsuite-R80.30/fw1/log/static_analysis.log) for reading failed
Invalid log file: /opt/CPsuite-R80.30/fw1/log/static_analysis.log


Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log from log 0

.....
Reading log file is DONE.


Total scanned 799953 logs out of 799952 logs in file
Scanned logs dates are from 09-01-2020 09:05:03 to 09-01-2020 09:07:51

========================================
Product log statistics (Per Day):
Days of counting: 0.00194444
Product name: Anti Malware Amount of logs: 2 Average: 1028
Product name: Application Control Amount of logs: 10173 Average: 5231828
Product name: Content Awareness Amount of logs: 89 Average: 45771
Product name: Identity Awareness Amount of logs: 59 Average: 30342
Product name: N/A Amount of logs: 239093 Average: 122962114
Product name: IPS Amount of logs: 90 Average: 46285
Product name: Threat Emulation Amount of logs: 70 Average: 36000
Product name: URL Filtering Amount of logs: 9479 Average: 4874914
Product name: VPN-1 & FireWall-1 Amount of logs: 540953 Average: 278204400


Total logs per day:

Date | GB | Count
2020-01-08 | 45.9551 | 314413696
2020-01-09 | 12.3826 | 88459492
fw.log | 0.2127 | 1599904

==============================================================
[Expert@gw-4332cc:0]#

Any thoughts? By any measure, this seems to be an outrageous amount of logs for our environment,

 

Thank you,

 

Vladimir

0 Kudos