This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Charlie_Dobson
Contributor
‎2019-01-15 08:10 AM
Jump to solution

Application and URL filtering Report from last month

Hello all,

I am trying to run an application and URL filtering report from last month (which just happens to be "last year").  I specify a custom date range of 12/1/2018 to 12/15/2018 with this query: 

product:("Application Control" OR "URL Filtering") AND NOT action:"Redirect" AND type:("Log" OR "Alert" OR "Session") AND NOT app_category:"Network Protocols" AND user:"username (logonname)" AND ("username")

Where "username" and "logonname" are replaced with the appropriate AD attributes, however I do not get any data in the report.  If I change the date range to 12/15/2018 to 12/31/2018 I get the same result.  However, if I change the date range to 1/1/2019 through 1/8/2019, I get a populated report.

Our Check Point admin left about 5 months ago and I'm still learning all of this, so please bear in mind that I'm still new to all of this.

Is there something I need to do to get the data from last month?  Is it automatically archived off into an older database?  Is there a process that archives off previous years automatically?

I am using the R80.10 SmartConsole for viewing reports.

Labels
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-01-16 09:33 AM
In response to Charlie_Dobson
Jump to solution

Yes, removing index files will affect reporting and the ability to search logs.

Recommend this SK: How to run SmartEvent Offline Jobs for multiple log files 

And also this thread: https://community.checkpoint.com/thread/6624-smartlog-only-look-back-14-days-how-to-reindex-90-days-... 

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-01-15 04:44 PM
Jump to solution

If you look for logs from that timeframe, are they found?

0 Kudos
Charlie_Dobson
Contributor
‎2019-01-16 04:38 AM
In response to PhoneBoy
Jump to solution

Where do I check?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-16 07:22 AM
In response to Charlie_Dobson
Jump to solution

In Logs and Monitor (or SmartView).
Go to the Logs tab and click on the clock in the search bar.

Pull down "Custom" and specify the desired timeframe.

The management (or log server) will delete log files if there is limited disk space.

Settings are specified in your management object.

0 Kudos
Charlie_Dobson
Contributor
‎2019-01-16 09:18 AM
In response to PhoneBoy
Jump to solution

Ah, OK.  Yes, I was using the custom timeframe option to specify dates from 12/1/2018 to 12/15/2018 and nothing comes up.  Same with 12/16/2018 to 12/31/2018.  In fact, I only see stuff as far back as 1/2/2019 and anything before that is blank.

As for the settings on the log server, they are set to alert at 20 MBytes and start deleting at 5000 MBytes, and to delete index files older than 14 days.  Disk space on our logging server according to "df -h" is only at 1% used.

It seems that the deleting of the index files older than 14 days is effecting the reports?  Does that mean the data is there but since it isn't indexed it isn't showing up?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-16 09:33 AM
In response to Charlie_Dobson
Jump to solution

Yes, removing index files will affect reporting and the ability to search logs.

Recommend this SK: How to run SmartEvent Offline Jobs for multiple log files 

And also this thread: https://community.checkpoint.com/thread/6624-smartlog-only-look-back-14-days-how-to-reindex-90-days-... 

0 Kudos
Charlie_Dobson
Contributor
‎2019-01-16 11:36 AM
In response to PhoneBoy
Jump to solution

Thanks so much!  I'm running the re-index now.

0 Kudos
Charlie_Dobson
Contributor
‎2019-01-17 06:28 AM
In response to PhoneBoy
Jump to solution

I ran the re-index and used $RTDIR/scripts/doctor-log.sh -f to verify that the indexing status is OK, however I still cannot pull data from more than 14 days.  Is there any way to verify if the data is actually there in the database?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-17 08:31 AM
In response to Charlie_Dobson
Jump to solution

Might be a good idea to open a TAC case so we can troubleshoot.

0 Kudos
Matt_Ricketts
Employee
Employee
‎2019-01-17 09:24 AM
In response to PhoneBoy
Jump to solution

I agree with Dameon. My initial thought was the default 14 days of Index files. However I keep 32 days of Indexes and when I filter my logs on December 2018, I am only seeing logs from 23:59:43 and newer for Dec 31st.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events