This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oleg_Ershov
Explorer
‎2025-03-31 07:09 AM

Extend log space with log forwarding

Hi,

My 64000 generate a huge logs. It sends logs to standby Management server R80.40 . I have an idea to shedule log forwarding once a week to active Management server in order to search more logs. Will the logs be automaticaly indexed after forwarding? Will the old logs be automaticaly deleted in order to free disk space for new forwarded logs as happens with logs received from gateway? 

Best regads,
Oleg

0 Kudos
4 Replies
Lesley
MVP Gold
MVP Gold
‎2025-03-31 11:09 AM

I would spin up a new unit with more disk space and get rid of the EOL r80.40 asap. 

After that you can look into feature called: Dynamic Log Distribution

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGu...

 

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Oleg_Ershov
Explorer
‎2025-03-31 11:10 PM
In response to Lesley

Thank you. The problem is not perfomance, but disk space.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-31 11:19 PM

Logs will be indexed as they land on the logging instance.

Old logs will be automatically deleted per the log storage configuration on the logging instance.

I'm not sure that this will achieve what you want to achieve though. Where are you scheduling the log fowarding? Is the issue that you can't search back far enough in your logs?

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-04-01 07:20 AM

Hi,

This will not be indexed on landing. Servers by default will index log files that were closed in the last day.

Since you're planning to do it weekly, you need to change values on the server using this SK: https://support.checkpoint.com/results/sk/sk111766

Index will not be deleted on the server and it will still take disk space.

I have a few suggestions in general for log policy:

a. Since you have large volume of logs I would add log forwarding on all GWs if not defined already.

b. Indexing entire week of logs could be resource consuming, I would suggest doing it nightly to distribute stress on primary MGMT. Nightly will not require you changing the number of days to index using the SK.

c. Set up log retention policy for all log servers. For example, if you forward all the logs from secondary after a week, you can select in log retention to delete indexes older than 7 days.

d. In general I would research other options for log server. I think that stressing active management server with large volume of logs is not recommended. 2 leading options IMO are dedicated log server and LaaS (logs as a service, stores logs on the cloud using Infinity Portal https://portal.checkpoint.com/)

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events