Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cem82
Contributor
Jump to solution

Audit log retention time R81.10 / R81.20

Hi

I can't find what the retention period is or how to change it for audit logs in SmartConsole.  I see logs from around a year ago which doesn't match up with the "Daily log retention" configured on the log server which applies for traffic logs.  Either way may want to increase the retention period.

 

I do see this post but it's from 2018 but with all the changes in R81.10 may not be accurate anymore which seems to indicate they are "never" deleted automatically so wonder if that does still apply? 

https://community.checkpoint.com/t5/Management/Does-Check-Point-delete-audit-log-history/m-p/18452#M...

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
Employee
Employee

The retention time is identical to both. From my experience you see audit long and not logs is because indexes are different for regular logs and audit logs and by default they are saved up to 10 years unless disk space gets too low. This is because audit logs and indexes are insignificant next to amount of traffic logs and also insignificant storage amount.

For more information I suggest checking https://support.checkpoint.com/results/sk/sk117317 

Kind regards, Amir Senn

View solution in original post

5 Replies
Amir_Senn
Employee
Employee

The retention time is identical to both. From my experience you see audit long and not logs is because indexes are different for regular logs and audit logs and by default they are saved up to 10 years unless disk space gets too low. This is because audit logs and indexes are insignificant next to amount of traffic logs and also insignificant storage amount.

For more information I suggest checking https://support.checkpoint.com/results/sk/sk117317 

Kind regards, Amir Senn
cem82
Contributor

Thanks @Amir_Senn 

That gave me some ideas, suggesting sk117317 it mentions log_keep_on_days  which when I look at $FWDIR/conf/log_policy.C which does have value set at 3650 which ties in with your 10 years comment but in sk123532 it says that value is not applicable for R80.x (I presume that also means R81.x).  At the beginning of sk117317 it says to look at the logging & monitoring guide for R80.40+ but don't see any CLI config and seems to only have min disk space values as options in GUI.  My main intention of trying to work this out is so that I can show auditors that we keep these audit logs for X days like I can easily for the traffic logs. 

 

I'm showing them in smartconsole > log server > log settings > Daily logs retention configuration > Keep indexed logs for no longer than X days / keep log files for an additional X days.  The audit logs are going back much further than the days specified there.

 

I wonder if even though log_keep_days_value isn't supported anymore would the delete_after (3650) value still apply?

:log_keep_days_value (3650)
:index_delete_older_than_value (3650)
:index_delete_older_than (false)
:logs_distribution (false)
:maintenance_items (
: (
:type (audit)
:delete_after (3650)
)
: (
:type (files)
:delete_after (3650)
)
: (
:type (firewallandvpn)
:delete_after (3650)
)
: (
:type (other)
:delete_after (3650)
)
: (
:type (other-smartlog)
:delete_after (3650)
)
: (
:type (resources)
:delete_after (3650)
)
: (
:type (smartevent)
:delete_after (3650)
)

0 Kudos
Amir_Senn
Employee
Employee

This is supported in newer versions as well.

Kind regards, Amir Senn
(1)
the_rock
Legend
Legend

Definitely works in R81.20

Best,

Andy

the_rock
Legend
Legend

I also got same answer from TAC while ago as what @Amir_Senn mentioned, that would make 100% sense, for sure.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events