Solved: Audit log retention time R81.10 / R81.20

cem82 · ‎2023-12-26

Hi

I can't find what the retention period is or how to change it for audit logs in SmartConsole. I see logs from around a year ago which doesn't match up with the "Daily log retention" configured on the log server which applies for traffic logs. Either way may want to increase the retention period.

I do see this post but it's from 2018 but with all the changes in R81.10 may not be accurate anymore which seems to indicate they are "never" deleted automatically so wonder if that does still apply?

https://community.checkpoint.com/t5/Management/Does-Check-Point-delete-audit-log-history/m-p/18452#M...

Amir_Senn · ‎2023-12-27

The retention time is identical to both. From my experience you see audit long and not logs is because indexes are different for regular logs and audit logs and by default they are saved up to 10 years unless disk space gets too low. This is because audit logs and indexes are insignificant next to amount of traffic logs and also insignificant storage amount.

For more information I suggest checking https://support.checkpoint.com/results/sk/sk117317

Kind regards, Amir Senn

View solution in original post

Amir_Senn · ‎2023-12-27

The retention time is identical to both. From my experience you see audit long and not logs is because indexes are different for regular logs and audit logs and by default they are saved up to 10 years unless disk space gets too low. This is because audit logs and indexes are insignificant next to amount of traffic logs and also insignificant storage amount.

For more information I suggest checking https://support.checkpoint.com/results/sk/sk117317

Kind regards, Amir Senn

cem82 · ‎2023-12-27

Thanks @Amir_Senn

That gave me some ideas, suggesting sk117317 it mentions log_keep_on_days which when I look at $FWDIR/conf/log_policy.C which does have value set at 3650 which ties in with your 10 years comment but in sk123532 it says that value is not applicable for R80.x (I presume that also means R81.x). At the beginning of sk117317 it says to look at the logging & monitoring guide for R80.40+ but don't see any CLI config and seems to only have min disk space values as options in GUI. My main intention of trying to work this out is so that I can show auditors that we keep these audit logs for X days like I can easily for the traffic logs.

I'm showing them in smartconsole > log server > log settings > Daily logs retention configuration > Keep indexed logs for no longer than X days / keep log files for an additional X days. The audit logs are going back much further than the days specified there.

I wonder if even though log_keep_days_value isn't supported anymore would the delete_after (3650) value still apply?

:log_keep_days_value (3650)
:index_delete_older_than_value (3650)
:index_delete_older_than (false)
:logs_distribution (false)
:maintenance_items (
: (
:type (audit)
:delete_after (3650)
)
: (
:type (files)
:delete_after (3650)
)
: (
:type (firewallandvpn)
:delete_after (3650)
)
: (
:type (other)
:delete_after (3650)
)
: (
:type (other-smartlog)
:delete_after (3650)
)
: (
:type (resources)
:delete_after (3650)
)
: (
:type (smartevent)
:delete_after (3650)
)

Amir_Senn · ‎2023-12-28

This is supported in newer versions as well.

Kind regards, Amir Senn

the_rock · ‎2023-12-28

Definitely works in R81.20

Best,

Andy

the_rock · ‎2023-12-27

I also got same answer from TAC while ago as what @Amir_Senn mentioned, that would make 100% sense, for sure.

Best,

Andy

Are you a member of CheckMates?

Audit log retention time R81.10 / R81.20