This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2020-05-04 05:11 AM
Jump to solution

Log Rotation for R80.10 Mgmt Server

Hi,

 

Where can i check the current retention period for logs in SmartConsole and will how can i modify it if required ?

 

 Thanks.

Labels
0 Kudos
1 Solution

Accepted Solutions
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-05-04 05:22 AM
Jump to solution

I assume you're referring to the general log/index retention period, not to a single log-file switch, which doesn't actually affect anything on R80.10 & above, as it only impacts the old 'Non-Index' I/S.

Both are on the SmartConsole > Open the Management Server Object > Logs > Storage.

It depends on 2 factors:

1. Daily Log/Indexed-logs retention via: 'Delete index files older than...'

(on R80.40 you can keep/delete both logs & indexed-logs in a more comfortable manner - recommended).

2. Disk-Space ('emergency') threshold for Logs/Indexed-logs retention, which depends on your actual disk-space in Logs partition (/var/log/), via: 'Delete files once threshold is below 'X' available space (default: 5GB==5000Mb).

 

Example: You have 10GB of Logs & 10GB of Indexed Logs per day. (~700 logs/sec)

Your total logs partition is 1000GB, so you can save around 1000/20 = 50 days of max logs/Indexed-logs, unless configured as less via daily retention.

 

Hope that's clear.

 

 

 

 

View solution in original post

7 Replies
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-05-04 05:22 AM
Jump to solution

I assume you're referring to the general log/index retention period, not to a single log-file switch, which doesn't actually affect anything on R80.10 & above, as it only impacts the old 'Non-Index' I/S.

Both are on the SmartConsole > Open the Management Server Object > Logs > Storage.

It depends on 2 factors:

1. Daily Log/Indexed-logs retention via: 'Delete index files older than...'

(on R80.40 you can keep/delete both logs & indexed-logs in a more comfortable manner - recommended).

2. Disk-Space ('emergency') threshold for Logs/Indexed-logs retention, which depends on your actual disk-space in Logs partition (/var/log/), via: 'Delete files once threshold is below 'X' available space (default: 5GB==5000Mb).

 

Example: You have 10GB of Logs & 10GB of Indexed Logs per day. (~700 logs/sec)

Your total logs partition is 1000GB, so you can save around 1000/20 = 50 days of max logs/Indexed-logs, unless configured as less via daily retention.

 

Hope that's clear.

 

 

 

 

LostBoY
Advisor
‎2020-05-04 06:59 AM
In response to Dror_Aharony
Jump to solution

Thank you for this detailed info.. i checked my settings and it is 5GB default there for Option no. 2
However, the index file box is unchecked.. so how does retention for index file works in this case ..Also, how can i check how much logs are being generated in the enviroment.

Thanks
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-05-04 07:07 AM
In response to LostBoY
Jump to solution

Unchecked = No daily retention for index-files, therefore only min threshold of disk-space is applied.

cpstat mg -f log_server (gives a good estimate of current logs/sec & last 10 mins/hour avg)

Log Receive Rate: X (X = logs/sec received)

Log Receive Rate Last Hour: Y (Y= logs/hour received, so use that to calculate the no. of logs)

 

logs/indexed-logs size calculation - rough estimation/rule of thumb

1 log = roughly 180 Bytes -> 1,000 logs/sec for 24 hours for a full day ~= 14.5GB of log-files & same 14.5GB of Indexed-logs == 29GB daily log & index size.

 

 

LostBoY
Advisor
‎2020-05-04 08:21 AM
In response to Dror_Aharony
Jump to solution

Ok..so mine is 21 per hour.. which comes out to be quite less in a single day..
If i enable the Unchecked option and put say 30 days before overwrite..does it mean it will overwrite the logs either at 30 days or when 5GB if filled.. which ever comes earlier
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-05-05 01:27 AM
In response to LostBoY
Jump to solution

Exactly, whichever comes 1st.

but 30 days of keep/delete index files only (on R80.10). Log-files will remain till disk threshold.

on R80.40, We have added a daily keep maintenance for log-files as well.

 

 

 

 

Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2020-05-04 05:22 AM
Jump to solution

Hi

Edit the Security Management Server object > Logs topic > Storage (Disk Space Management) and Additional Settings (Advanced Settings)

LostBoY
Advisor
‎2020-05-04 06:59 AM
In response to Tal_Paz-Fridman
Jump to solution

Thanks..got it
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events