This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Advisor
Friday

Log file retrieval

Hi All,

Our SMS doesn't show logs after 15 days. However, I observed logs in the /var/log/opt/CPsuite-R81.10/fw1/log directory. How can I retrieve these logs and have them displayed on the Smart Console?

Thanks

0 Kudos
6 Replies
Lesley
Leader Leader
Leader
Saturday

I think these are the index logs. Under the relevant object in SmartConsole you can open it and see under logs what days have been set there. If this matches the 15 says it means it works as it should. Can you confirm if you search logs you can search further back then 15 days? It could be a bit slower if you search further back of time. This is normal. index logs makes searching more quick but use more disk space. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Amir_Senn
Employee
Employee
Sunday
In response to Lesley

Most likely the thing to check.

You can also see your current index retention value with "cat $FWDIR/conf/log_policy.C | grep -i index_delete_older_than_value".

Or on the Management/dedicated log server under Logs -> Storage -> under "Daily Logs Retention Configuration":

Capture.PNG

Kind regards, Amir Senn
Ihenock1011
Advisor
Sunday
In response to Lesley

When I search logs back 15 days, I am unable to retrieve them. I managed to open the log files older than 15 days : go to "Logs," then click on the three lines, select "File," open "Logfiles," and navigate to the specific date I looking for.

0 Kudos
Amir_Senn
Employee
Employee
Monday
In response to Ihenock1011

This validates it's indexing related. Try to search the things I mentioned in the post and see if you save indexes only for 14 days (which is the default with "Daily Retention" turned on).

Kind regards, Amir Senn
AkosBakos
Leader Leader
Leader
Saturday

Hi @Ihenock1011 

I thought, you checked the avaialble space on the partititon etc...

But befere you dig into the debugging, run #evstop then #evstart command. I can solve a lot ot indexing problems.

Here is an SK about how to reindexing logs:

https://support.checkpoint.com/results/sk/sk164553

Be careful, I takes time 🙂

Akos

----------------
\m/_(>_<)_\m/
HeikoAnkenbrand
Champion Champion
Champion
Saturday

To retrieve logs from the /var/log/opt/CPsuite-R81.10/fw1/log directory and display them on the Smart Console, you can use the fw fetchlogs command. Here’s how you can do it:

1) List Available Logs: First, list the available log files on your Management Server using the following command:

[Expert@HostName:0]# fw lslogs MyGW

This will show you the log files available for fetching.

2) Fetch Specific Log Files: Use the fw fetchlogs command to fetch the desired log file. Replace 2024-06-01_000000 with the actual log file name you want to fetch:

[Expert@HostName:0]# fw fetchlogs -f 2024-06-01_000000 MyGW

3) This command will fetch the specified log file from the Management Server.

Verify Log Files: After fetching, verify that the log files are present in the $FWDIR/log directory:

[Expert@HostName:0]# ls $FWDIR/log/MyGW*

4) Check Smart Console: Once the logs are fetched, they should be available in the Smart Console under Logs & Monitoring.

If you encounter any issues with logs not appearing in Smart Console, it might be due to a corrupted log indexing database. In such cases, you may need to clear or reset the log indexing database. For detailed steps on this, refer to this solution sk168812 .

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events