Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor

Does Check Point delete audit log history?

In R80.10, there are 2 sources for change history:

1. Dynamic revisions at the Security Management Server. This allows us to present:

- All changes at the Manage & Settings-->Revisions view in SmartConsole

- REST API for show-changes

 These changes are kept forever, unless the user manually purges them. They are lightweight and are based on the delta difference. Users could use the Security Management API or the Gaia operating system revisions as a way to forward history to external storage.

2. Audit logs at the Log Management Server. This allows us to present:

- List of changes in the bottom pane of a selected revision in SmartConsole

- Graphs, overviews and reports of changes in SmartView

These changes are kept according to your Log Retention Policy. Notice that there are 2 retention metrics: deleting indexes of older audit logs (which makes searches for audit logs slow), and deleting of the actual log files (which makes audit logs go away). By default, Check Point only deletes audit log files (and also traffic log files) when the disk space is below a very small threshold as defined in the Log Retention Policy. There are options to forward logs to external storage at the Additional Settings for Log Management Servers.

To summarize: There are two sources to retrieve change history for security management. In SmartConsole we use each source in the way that utilizes it best. However, you could create your own change reports based on the show-changes API. The retention rules are different between the two engines.

2 Replies
Yuri_Slobodyany
Collaborator

Thanks for the insight Tomer Sole , by the inertia principle I (and not only) keep on thinking that what was working in some way before, works the same way in R80  . And kind of lame question (instead of checking myself Smiley Happy ) -  up until R77.30 audit logs were kept forever unless deleted manually, never mind the Log retention policy, weren't they?

https://www.linkedin.com/in/yurislobodyanyuk/
Kaspars_Zibarts
Employee Employee
Employee

Very good question! Indeed they were..

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events