This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
88654a5e-3946-4
Explorer
‎2019-07-04 12:59 PM

How to restore logs and logging questions ...

Just as a disclaimer i have only been working with checkpoint products for a few months and have been somewhat thrown in at the deep end! I'm not complaining as it seems to be a good product and its the best way to learn. 

  • What is the difference between Log correlation and Indexing
  • How can i see what has and has not been correlated / indexed? 
  • Can i monitor the current process of correlation / indexing?
  • In the scenario i describe below do I also need to import the policy to get the best results? #
  • In the scenario i describe below can we be doing anything better?

The situation I am in is we have been contacted by someone who needs to see the logs from around 3 months ago. We currently run a task overnight to take files that are in $FWDIR/log/ and over 10 days old zip them up and put them onto a remove server. 

To restore these logs i have...

  1. spun up a temporary management server
  2. run cpstop
  3. copied the zipped log files into a tmp directory and then unzipped them back into $FWDIR/log/
  4. we have edited vi $INDEXERDIR/log_indexer_custom_settings.conf to include " :days_to_index (365)" 
  5. run cpstart 
  6. Configured the management server to run the "SmartEvent Server" and "SmartEvent Correlation Unit" and published the change.
  7. Confirmed the management server object is configured for "Enable Log Indexing" under the logs section.  
  8. Confirmed the management server object is has "Delete index files older than" unticked under the Logs->Storage section.  

When i then go into Logs and Monitor and search for stuff in these logs i cant see anything, suggesting the log files have not been indexed? 

What i can do is go File -> Open Log File..., select a specific log file and then search for what i need. What i need to do is work with the full 24 hours worth of logs in one go though (we generate about a log and hour)?! 

If i configure a report to run on the data am i only able to run it on one log file at a time? 

This all seems very in-efficient for a production well known for its logging capabilities so I'm pretty sure this is PICNIC/Layer8! 

 

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-07-05 02:20 AM

Please check the document SMB security log files i wrote some time ago ! CP logs are not very simple as they consist of different - mostly unreadable -  files, but if you know how, you can backup these logs and transfer to a e.g. different SMS for view, see sk92920 How to open FireWall log (fw.log) from a different Security Management Server in SmartView T.... If you just want to read the cotent of the log files or export them into a readable version, please consult sk39573 How to read a Check Point log file in its native format. If the SMS has not much room for logs, you can also use a syslog server as a secondary log server and copy the FW logs to it in regular intervalls, see sk115392 How to export Check Point logs to a Syslog server using CPLogToSyslog for details!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
88654a5e-3946-4
Explorer
‎2019-07-15 10:19 AM
In response to G_W_Albrecht

Thanks, lots of really useful information here. Let me go away and have a read!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events