cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Jeff_Gao
Copper

smartevent status attention

Dear  all

     My SMS is R80.10,provide smartevent service,but it have as follow attention:

"Scale is not according to recommendation"

scale is not according to recommendation.png

What does that mean?

0 Kudos
10 Replies
Vladimir
Pearl

Re: smartevent status attention

@Jeff_Gao , taking it at face value, it looks like you are over-utilizing the SmartEvent server 20 times it's recommended capacity and capabilities.

0 Kudos
Jeff_Gao
Copper

Re: smartevent status attention

Hi Vladimir
Thanks! So,how to I should improve the capacity and capabilities.
0 Kudos
Vladimir
Pearl

Re: smartevent status attention

@Jeff_Gao , please let us know the specifications of the hardware (virtual or physical, your SmartEvent is installed on.

Additionally, please specify the IOPs parameters of the storage you are using with it and if it is a standalone SmartEvent or if it is a combined with the Management server.

Without knowing this data, I can point you to this document, that should've been used for the sizing information:

https://www.checkpoint.com/downloads/products/smart-1-security-management-platform-datasheet.pdf 

Look for "sustained logs" and " burst" data and compare that to the numbers you are seeing n your warning.

 

Then perform:

 

[Expert@SMS8030EA:0]# CPLogInvestigator -a -m -p


Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R80.30/fw1/log/fw.log from log 0

..
Reading log file is DONE.


Total scanned 14680 logs out of 14680 logs in file
Scanned logs dates are from 17-06-2019 00:00:00 to 17-06-2019 08:43:30

========================================
Product log statistics (Per Day):
Days of counting: 0.363542
Product name: Anti Malware Amount of logs: 547 Average: 1504
Product name: Application Control Amount of logs: 2 Average: 5
Product name: Linux OS Amount of logs: 4 Average: 11
Product name: N/A Amount of logs: 1 Average: 2
Product name: New Anti Virus Amount of logs: 14 Average: 38
Product name: Security Gateway/Management Amount of logs: 20 Average: 55
Product name: Syslog Amount of logs: 225 Average: 618
Product name: URL Filtering Amount of logs: 2 Average: 5
Product name: VPN-1 & FireWall-1 Amount of logs: 13865 Average: 38138


Total logs per day:

Date | GB | Count
2019-04-05 | 0.0003 | 6252
2019-04-06 | 0.0022 | 45242
2019-04-07 | 0.0022 | 43610
2019-04-08 | 0.0022 | 44218
2019-04-09 | 0.0023 | 45792
2019-04-10 | 0.0023 | 46500
2019-04-11 | 0.0025 | 50386

....

2019-06-17 | 0.0072 | 83864
fw.log | 0.0025 | 29360

==============================================================
Logs per minute table can be found at logPerMinute.txt

==============================================================

..and look at the "LogPerMinute" file to get an idea as to your actual consumption:


[Expert@SMS8030EA:0]# ls
logPerMinute.txt sms8030gaia
[Expert@SMS8030EA:0]# less logPerMinute.txt

 

 

0 Kudos
Jeff_Gao
Copper

Re: smartevent status attention

@Vladimir thanks very much!
My sms is virtual which include smartevent、smartlog and management server.
CPU:16Core
Mem:16G


# cat logPerMinute.txt
Rounded log time: 18-06-2019 09:55; Log count: 27078
Rounded log time: 18-06-2019 09:54; Log count: 328174
Rounded log time: 18-06-2019 09:53; Log count: 280652
Rounded log time: 18-06-2019 09:52; Log count: 347959
Rounded log time: 18-06-2019 09:51; Log count: 297595
Rounded log time: 18-06-2019 09:50; Log count: 301089
Rounded log time: 18-06-2019 09:49; Log count: 303587
Rounded log time: 18-06-2019 09:48; Log count: 322227
Rounded log time: 18-06-2019 09:47; Log count: 288479


# CPLogInvestigator -a -m -p


Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R80/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R80/fw1/log/fw.log from log 0

..............
Reading log file is DONE.


Total scanned 2496840 logs out of 2496839 logs in file
Scanned logs dates are from 18-06-2019 09:47:04 to 18-06-2019 09:55:05

========================================
Product log statistics (Per Day):
Days of counting: 0.00556713
Product name: Anti Malware Amount of logs: 40 Average: 7185
Product name: Application Control Amount of logs: 20 Average: 3592
Product name: Linux OS Amount of logs: 2 Average: 359
Product name: N/A Amount of logs: 571921 Average: 102731755
Product name: New Anti Virus Amount of logs: 62 Average: 11136
Product name: IPS Amount of logs: 27156 Average: 4877917
Product name: Syslog Amount of logs: 22 Average: 3951
Product name: System Monitor Amount of logs: 9 Average: 1616
Product name: VPN-1 & FireWall-1 Amount of logs: 1897608 Average: 340859316


Total logs per day:

Date | GB | Count
2019-03-03 | 11.9883 | 174510128
2019-03-04 | 15.6731 | 227380694
2019-03-05 | 14.6454 | 212625604
2019-03-06 | 14.3173 | 207947688
2019-03-07 | 14.5935 | 211752560
2019-03-08 | 15.3116 | 222646420
2019-03-09 | 13.0028 | 190148054
2019-03-10 | 15.9042 | 232609262
2019-03-11 | 14.4081 | 209273414
2019-03-12 | 15.7586 | 227925084
2019-03-13 | 15.8023 | 229058910
2019-03-14 | 15.8735 | 230451902
2019-03-15 | 15.4244 | 223788326
2019-03-16 | 15.6335 | 227635214
2019-03-17 | 15.0931 | 219772360
2019-03-18 | 16.9324 | 245463936
2019-03-19 | 14.3083 | 207443174
2019-03-20 | 17.7736 | 258013590
2019-03-21 | 16.2287 | 235587550
2019-03-22 | 14.3122 | 208023034
2019-03-23 | 15.8583 | 231433016
2019-03-24 | 15.1148 | 220062032
2019-03-25 | 17.7270 | 257340930
2019-03-26 | 16.5595 | 240162446
2019-03-27 | 16.6740 | 241708352
2019-03-28 | 18.6492 | 266207518
2019-03-29 | 17.1069 | 246943384
2019-03-30 | 15.3249 | 223271206
2019-03-31 | 15.5162 | 226370694
2019-04-01 | 15.0949 | 219837408
2019-04-02 | 15.4475 | 224926192
2019-04-03 | 15.6323 | 227457050
2019-04-04 | 15.8326 | 230452710
2019-04-05 | 15.8308 | 231286364
2019-04-06 | 15.0042 | 219310188
2019-04-07 | 14.8829 | 217567736
2019-04-08 | 16.8681 | 245347180
2019-04-09 | 16.3029 | 236714306
2019-04-10 | 16.8825 | 245331828
2019-04-11 | 18.6507 | 268697572
2019-04-12 | 18.4652 | 266097024
2019-04-13 | 16.6541 | 241097100
2019-04-14 | 17.4679 | 252973488
2019-04-15 | 19.3012 | 278075826
2019-04-16 | 18.8890 | 271970780
2019-04-17 | 19.3478 | 278465282
2019-04-18 | 19.6170 | 282252782
2019-04-19 | 21.6218 | 312444712
2019-04-20 | 48.5639 | 683451050
2019-04-21 | 18.9067 | 273404576
2019-04-22 | 18.4711 | 265981480
2019-04-23 | 19.9774 | 287641738
2019-04-24 | 21.6359 | 312726300
2019-04-25 | 18.8940 | 272847662
2019-04-26 | 19.7066 | 284529928
2019-04-27 | 19.8668 | 287634870
2019-04-28 | 21.1478 | 305355118
2019-04-29 | 20.0595 | 289562758
2019-04-30 | 20.2436 | 292479032
2019-05-01 | 18.1825 | 263598688
2019-05-02 | 19.1424 | 277886956
2019-05-03 | 19.0467 | 276288934
2019-05-04 | 19.1445 | 277575270
2019-05-05 | 21.2515 | 307374512
2019-05-06 | 20.5017 | 296165128
2019-05-07 | 20.1895 | 291549226
2019-05-08 | 20.4018 | 294921616
2019-05-09 | 20.2197 | 292426714
2019-05-10 | 20.1554 | 291232894
2019-05-11 | 18.3282 | 265369420
2019-05-12 | 19.4292 | 281117542
2019-05-13 | 21.4739 | 309855678
2019-05-14 | 20.6940 | 298906874
2019-05-15 | 18.3149 | 264778772
2019-05-16 | 19.8050 | 286758796
2019-05-17 | 19.7595 | 286745464
2019-05-18 | 19.2113 | 279724146
2019-05-19 | 18.3073 | 266389722
2019-05-20 | 18.1323 | 262847450
2019-05-21 | 19.7511 | 286553766
2019-05-22 | 19.6037 | 284249350
2019-05-23 | 19.5923 | 284006546
2019-05-24 | 19.5201 | 283491850
2019-05-25 | 18.9509 | 275890388
2019-05-26 | 18.3004 | 265843312
2019-05-27 | 21.0343 | 304803456
2019-05-28 | 18.1727 | 263556914
2019-05-29 | 17.7342 | 257719486
2019-05-30 | 19.4171 | 282208746
2019-05-31 | 21.7396 | 316465118
2019-06-01 | 20.3996 | 291043418
2019-06-02 | 35.6533 | 458949050
2019-06-03 | 38.2477 | 484118654
2019-06-04 | 45.0265 | 565156610
2019-06-05 | 44.3254 | 556156954
2019-06-06 | 58.7324 | 708096860
2019-06-07 | 57.8472 | 697854450
2019-06-08 | 54.7061 | 659437432
2019-06-09 | 53.4240 | 642332326
2019-06-10 | 57.8561 | 695654382
2019-06-11 | 56.5435 | 680175814
2019-06-12 | 60.3603 | 733286664
2019-06-13 | 66.7922 | 821996782
2019-06-14 | 66.2689 | 816143848
2019-06-15 | 54.5063 | 695293492
2019-06-16 | 63.1728 | 814843154
2019-06-17 | 66.1099 | 852253356
2019-06-18 | 23.2959 | 316387954
fw.log | 0.3693 | 4993478

==============================================================
Logs per minute table can be found at logPerMinute.txt

==============================================================
0 Kudos

Re: smartevent status attention

The best advice I can give you is get a license for a separate SmartEvent server, install a new VM server and remove the SmartEvent from the SMS.
PS 16GB is really not very much for a complete SMS with SE, did you check how much is free? Use the following command to see memory usage:
free -m
Regards, Maarten
Jeff_Gao
Copper

Re: smartevent status attention

# free -m
total used free shared buffers cached
Mem: 15917 15552 364 0 183 7771
-/+ buffers/cache: 7597 8319
Swap: 17422 2789 14632
0 Kudos
Vladimir
Pearl

Re: smartevent status attention

@Jeff_Gao , so your VM, running Management Server with SmartEvent, except for RAM is roughly rated at 3,750 sustained logs per second:

image.png

2 SmartEvent configuration
3 In Multi-Domain configuration

 

This translates into 225,000 logs per minute.

Your LogsPerMinute.txt shows:

# cat logPerMinute.txt
Rounded log time: 18-06-2019 09:55; Log count: 27078
Rounded log time: 18-06-2019 09:54; Log count: 328174
Rounded log time: 18-06-2019 09:53; Log count: 280652
Rounded log time: 18-06-2019 09:52; Log count: 347959
Rounded log time: 18-06-2019 09:51; Log count: 297595
Rounded log time: 18-06-2019 09:50; Log count: 301089
Rounded log time: 18-06-2019 09:49; Log count: 303587
Rounded log time: 18-06-2019 09:48; Log count: 322227
Rounded log time: 18-06-2019 09:47; Log count: 288479

with each line except topmost one, exceeding rated parameter of the capacity you have provisioned.

Specifically, the RAM you have allocated is not even close to the specs of the hardware servers dedicated to processing same number of logs per minute.

If you want to have a chance at crunching same number of logs, see if you can match the specs of the 5150 appliance and that your storage IOPs are on the higher end of the spectrum.

Regards,

Vladimir

 

0 Kudos
Highlighted
Jeff_Gao
Copper

Re: smartevent status attention

@Vladimir You mean that I need to add some mem?
0 Kudos
Vladimir
Pearl

Re: smartevent status attention

In a nutshell, yes. Hike it up to 64GB at least to see if the situation will improve.

Jeff_Gao
Copper

Re: smartevent status attention

Thanks very much,I will try it and update to you
0 Kudos