Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to restore logs and logging questions ...

Just as a disclaimer i have only been working with checkpoint products for a few months and have been somewhat thrown in at the deep end! I'm not complaining as it seems to be a good product and its the best way to learn. 

  • What is the difference between Log correlation and Indexing
  • How can i see what has and has not been correlated / indexed? 
  • Can i monitor the current process of correlation / indexing?
  • In the scenario i describe below do I also need to import the policy to get the best results? #
  • In the scenario i describe below can we be doing anything better?

The situation I am in is we have been contacted by someone who needs to see the logs from around 3 months ago. We currently run a task overnight to take files that are in $FWDIR/log/ and over 10 days old zip them up and put them onto a remove server. 

To restore these logs i have...

  1. spun up a temporary management server
  2. run cpstop
  3. copied the zipped log files into a tmp directory and then unzipped them back into $FWDIR/log/
  4. we have edited vi $INDEXERDIR/log_indexer_custom_settings.conf to include " :days_to_index (365)" 
  5. run cpstart 
  6. Configured the management server to run the "SmartEvent Server" and "SmartEvent Correlation Unit" and published the change.
  7. Confirmed the management server object is configured for "Enable Log Indexing" under the logs section.  
  8. Confirmed the management server object is has "Delete index files older than" unticked under the Logs->Storage section.  

When i then go into Logs and Monitor and search for stuff in these logs i cant see anything, suggesting the log files have not been indexed? 

What i can do is go File -> Open Log File..., select a specific log file and then search for what i need. What i need to do is work with the full 24 hours worth of logs in one go though (we generate about a log and hour)?! 

If i configure a report to run on the data am i only able to run it on one log file at a time? 

This all seems very in-efficient for a production well known for its logging capabilities so I'm pretty sure this is PICNIC/Layer8! 

 

0 Kudos
2 Replies
Highlighted
Sapphire

Re: How to restore logs and logging questions ...

Please check the document SMB security log files i wrote some time ago ! CP logs are not very simple as they consist of different - mostly unreadable -  files, but if you know how, you can backup these logs and transfer to a e.g. different SMS for view, see sk92920 How to open FireWall log (fw.log) from a different Security Management Server in SmartView T.... If you just want to read the cotent of the log files or export them into a readable version, please consult sk39573 How to read a Check Point log file in its native format. If the SMS has not much room for logs, you can also use a syslog server as a secondary log server and copy the FW logs to it in regular intervalls, see sk115392 How to export Check Point logs to a Syslog server using CPLogToSyslog for details!

Highlighted

Re: How to restore logs and logging questions ...

Thanks, lots of really useful information here. Let me go away and have a read!
0 Kudos