Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sarangoj
Contributor

Logs statistics

Jump to solution

Hi everyone!, I hope you're feeling very well.

Firts thanks for yours replies, I'm new at this, I'm learning.

I have some log files I need to study to refine the firewall rules. Do you know of any software I can install on my computer where I can upload these files and look at the statistics?

0 Kudos
1 Solution

Accepted Solutions
Dror_Aharony
Employee
Employee

Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.

follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),

and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.

cp $INDEXERDIR/data/FetchedFiles{,.Orig}

rm -f $INDEXERDIR/data/FetchedFiles

  then start it (evstart)

Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.

 

This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).

which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).

if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.

View solution in original post

16 Replies
PhoneBoy
Admin
Admin

The log files are a proprietary binary format that can only be read by a Check Point Management/Log Server.
If you want to view them offline, you’d basically have to set up a separate management server with those logs imported.

sarangoj
Contributor

Thanks PhoneBoy, u can recommended me a sotfware?

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi

You can also connected to your Security Management Server with SmartConsole using Read Only credentials or have your administrator set up a dedicated administrator with only the relevant permissions.

Another option would be to connect to SmartView Log Browser for viewing the logs -> https://<management_server>/smartview/

HTH

Tal

sarangoj
Contributor

Hello Tal_Peace_Fridman, thank you for responding. How could I load these logs that are no longer on the physical device so that I can view them again on the smartview web and see the statistics there? Thank you

0 Kudos
G_W_Albrecht
Legend
Legend

SmartView is unable to load logs. The logs have to be on the SMS to be viewed in SmartLog (after indexing), SVTracker (with an open file... option) or elsewhere. To transfer and use the logs on the SMS, see SMB security log files that speaks about SMB logs viewed on SMS. Also read sk39573: How to read a Check Point log file in its native format and sk92920: How to open FireWall log (fw.log) from a different Security Management Server in SmartView ....

sarangoj
Contributor

Thanks G_W_Albrecht, I'll take a look at it, if I have problems can I ask you? 

0 Kudos
G_W_Albrecht
Legend
Legend

You can post here...

Tal_Paz-Fridman
Employee
Employee

Hi again

You can use SmartView Web Browser by connecting to the Security Management Server that holds the original files or as I wrote, connecting with Read Only SmartConsole.

This will save you the need to load the files to another machine.

Tal 

sarangoj
Contributor

Tal_Paz-Fridman thank you very much for helping me, could you explain me how to make these two options or provide me with material to study it?. again thank you and I remain attentive.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

In SmartConsole go to Manage & Settings > Permissions and Administrators > Administrators 

Define a new Administrator and use the Read Only All Permission Profile

Now when you login using the new Administrator to the Security Management Server you can view the Rules and Logs but without have the option to change anything, just to analyze the logs and rules. 

 

G_W_Albrecht
Legend
Legend

Or, after defining the new Administrator, connect in browser to https://<SMS_IP>/smartview/ and log in there !

sarangoj
Contributor

Hi again, thanks

Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.

0 Kudos
sarangoj
Contributor

Hi again, thanks.

Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.

0 Kudos
Dror_Aharony
Employee
Employee

Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.

follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),

and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.

cp $INDEXERDIR/data/FetchedFiles{,.Orig}

rm -f $INDEXERDIR/data/FetchedFiles

  then start it (evstart)

Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.

 

This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).

which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).

if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.

View solution in original post

sarangoj
Contributor

Thanks bro I done!

0 Kudos
Dror_Aharony
Employee
Employee

No problem.
Glad I could help:)

0 Kudos