This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
boom247
Contributor
‎2024-02-29 04:19 AM
Jump to solution

Audit logs for deleted logs

Hi Checkmates

 

Is there a way to view audit logs for logs/log files that were deleted?

0 Kudos
1 Solution

Accepted Solutions
boom247
Contributor
‎2024-03-06 05:39 AM
In response to the_rock
Jump to solution

Hi Andy

You're correct, I did reach out to TAC and their feedback is that the isn't a way.

View solution in original post

8 Replies
S_E_
Advisor
‎2024-02-29 05:35 AM
Jump to solution

hi,

IMHO no, that's the reason why we run a script/cronjob to copy audit logs to an external server. 

In addition, having audit log files on a different server may help you to correlate the correct time.

SmartConsole shows audit logs with the time/timezone settings of your client PC and not of your CheckPoint MGMT server. 

Regards

0 Kudos
boom247
Contributor
‎2024-02-29 11:28 AM
In response to S_E_
Jump to solution

Thanks for the answer

0 Kudos
the_rock
Legend
Legend
‎2024-02-29 11:35 AM
Jump to solution

See if any of below files may help.

Andy

 

[Expert@cpazurecluster1:0]# cd /var/log/audit/
[Expert@cpazurecluster1:0]# ls
audit.log audit.log.1 audit.log.2 audit.log.3
[Expert@cpazurecluster1:0]#

0 Kudos
the_rock
Legend
Legend
‎2024-02-29 11:37 AM
Jump to solution

This is mostly what Im finding in my lab...

Andy

 

type=USER_AUTH msg=audit(1709200428.987:482949): pid=29059 uid=0 auid=42
94967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=
? acct="root" exe="/usr/sbin/sshd" hostname=144.217.84.62 addr=144.217.8
4.62 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1709200434.568:482950): pid=29081 uid=0 auid=42
94967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=
? acct="root" exe="/usr/sbin/sshd" hostname=144.217.84.62 addr=144.217.8
4.62 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1709200439.315:482951): pid=29111 uid=0 auid=42
94967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=
? acct="root" exe="/usr/sbin/sshd" hostname=218.92.0.92 addr=218.92.0.92
terminal=ssh res=failed'
[Expert@cpazurecluster1:0]# grep -i delete audit.log
[Expert@cpazurecluster1:0]# grep -i DELETE audit.log
[Expert@cpazurecluster1:0]#

 

 

 

0 Kudos
boom247
Contributor
‎2024-03-05 11:06 PM
In response to the_rock
Jump to solution

Thanks Legend, I also did test the same but not finding specific traces pointing to the deleted log files.

0 Kudos
the_rock
Legend
Legend
‎2024-03-06 04:05 AM
In response to boom247
Jump to solution

Maybe open TAC case to confirm, but does not look like there might be a log about it : - (

Andy

0 Kudos
boom247
Contributor
‎2024-03-06 05:39 AM
In response to the_rock
Jump to solution

Hi Andy

You're correct, I did reach out to TAC and their feedback is that the isn't a way.

the_rock
Legend
Legend
‎2024-03-06 05:40 AM
In response to boom247
Jump to solution

K, so thats the answer then, if they confirmed already.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events