Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
edd080
Contributor

Checkpoint Report for a Month

Hi to all,

I am trying to  create a report for a particular Month (January); I have managed to create and design the report I need on Logs & Monitor (we are using CheckPoint R80.10) through smartconsole and also managed to run the report however I do not get the report for the whole month since it got partially archived (.log)

Is there a way in which I can join that particular log to the actual one ( live current log) in order to get the report for the whole month?

Thank you for any help.

10 Replies
edd080
Contributor

Or at least is there a way in which these logs can be merged (maybe with a tool or a script) ? 

Thanks for any help...

0 Kudos
PhoneBoy
Admin
Admin

I believe log files are still limited to 2GB.

This is why they are automatically rotated nightly at midnight.

That said, you should be able to run reports across log files provided indexing is enabled and you’re not deleting the indexes after X days (and not deleting the underlying log files).

0 Kudos
edd080
Contributor

Hello Dameon,

                          The logs are not deleted, if I run a report for the month of January I can only see entries from the last few weeks.

If I go on logs and monitoring and choose the ' file - open log files' option I am able to go to the log file that contains the entries of the beginning of January and open it without any problems; that is why I wanted to see if there is an option to join these log files and maybe then run a report with graphs and so on that reflect the whole month.

Unless there is a way of running the report feature for that specific log file and in that way I can split the month of January into multiple reports?

Thank you. 

0 Kudos
PhoneBoy
Admin
Admin

That sounds like log indexed are being deleted after 14 days.

See this thread: https://community.checkpoint.com/message/12803-smartlog-only-look-back-14-days-how-to-reindex-90-day... 

edd080
Contributor

Thanks for this will check it out and let you know how it goes. 

0 Kudos
edd080
Contributor

Hello Dameon, I have followed the following guide R80.x SmartLog/SmartEvent server doesn't index/show logs older than 1-14 days back ; which worked out without any issues, however when I run the report it still does not show me entries for the previous month; it is still showing me entries for the past 14 days. 

One of the steps in the guide mentions 'evstart (for MDS: mdsstart) // for R80 and above: Reboot.' 

I ran the evstart command; maybe I still need to reboot the reporting server after giving the evstart command?

Thanks for your help.

0 Kudos
PhoneBoy
Admin
Admin

The event database was separate from the logs in R77.x and earlier.

This means you could restart SmartEvent to kick off reindexing.

In R80+, the logs/events are merged, thus a reboot (or a cprestart) may be required in this case.

0 Kudos
edd080
Contributor

Hello Dameon , so I restarted both the smart event server and management; however I am still unable to see logs for the beginning of January; I need to choose the appropriate log file to see them. I followed the guide that was in the link you suggested and did not have any issues implementing the change, cannot understand what I might be doing wrong.

0 Kudos
PhoneBoy
Admin
Admin

I recommend engaging with the TAC on this.

Possible something else is going on here.

How To Open a Case with TAC and/or Account Services

0 Kudos
edd080
Contributor

Thanks will check it out with them then.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events