- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Logs statistics
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logs statistics
Hi everyone!, I hope you're feeling very well.
Firts thanks for yours replies, I'm new at this, I'm learning.
I have some log files I need to study to refine the firewall rules. Do you know of any software I can install on my computer where I can upload these files and look at the statistics?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.
follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),
and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.
cp $INDEXERDIR/data/FetchedFiles{,.Orig}
rm -f $INDEXERDIR/data/FetchedFiles
then start it (evstart)
Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.
This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).
which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).
if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log files are a proprietary binary format that can only be read by a Check Point Management/Log Server.
If you want to view them offline, you’d basically have to set up a separate management server with those logs imported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks PhoneBoy, u can recommended me a sotfware?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You can also connected to your Security Management Server with SmartConsole using Read Only credentials or have your administrator set up a dedicated administrator with only the relevant permissions.
Another option would be to connect to SmartView Log Browser for viewing the logs -> https://<management_server>/smartview/
HTH
Tal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tal_Peace_Fridman, thank you for responding. How could I load these logs that are no longer on the physical device so that I can view them again on the smartview web and see the statistics there? Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SmartView is unable to load logs. The logs have to be on the SMS to be viewed in SmartLog (after indexing), SVTracker (with an open file... option) or elsewhere. To transfer and use the logs on the SMS, see SMB security log files that speaks about SMB logs viewed on SMS. Also read sk39573: How to read a Check Point log file in its native format and sk92920: How to open FireWall log (fw.log) from a different Security Management Server in SmartView ....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks G_W_Albrecht, I'll take a look at it, if I have problems can I ask you?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can post here...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again
You can use SmartView Web Browser by connecting to the Security Management Server that holds the original files or as I wrote, connecting with Read Only SmartConsole.
This will save you the need to load the files to another machine.
Tal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tal_Paz-Fridman thank you very much for helping me, could you explain me how to make these two options or provide me with material to study it?. again thank you and I remain attentive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In SmartConsole go to Manage & Settings > Permissions and Administrators > Administrators
Define a new Administrator and use the Read Only All Permission Profile
Now when you login using the new Administrator to the Security Management Server you can view the Rules and Logs but without have the option to change anything, just to analyze the logs and rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, after defining the new Administrator, connect in browser to https://<SMS_IP>/smartview/ and log in there !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again, thanks
Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again, thanks.
Context:
I have to make a log study for the previous 3 months, but the index of the firewall administrator is 14 days, I can't access for example in the smartview to consolidated logs of the last 3 months. Do you know if the smartevent also works with this index?
How can I reconstruct a 3-month index for statistics?
I have the information but it is very fragmented in daily files and to make 90 statistics and then consolidate them would be a tedious process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your log-files of the needed time (~3 months) still exist & weren't deleted due to log storage capacity (log maintenance), then it's fairly easy.
follow sk111766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...),
and add these lines After stopping the Indexer (evstop) & configuring the no. of days you choose (-days_to_index <90> or beyond) to have it completely re-index with your chosen no. of days.
cp $INDEXERDIR/data/FetchedFiles{,.Orig}
rm -f $INDEXERDIR/data/FetchedFiles
then start it (evstart)
Also make sure to disable/up the daily index files deletion to avoid it from being deleted again.
This will cause a re-Indexing of these last 3 months of logs (or as many days back as you've configured).
which has a performance impact during the re-indexing process which should take roughly several days (depending on your log-rate vs. HW strength).
if you need a better estimation, you can send us your log-rate (or size of log-files) & HW CPU/memory details to better estimate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks bro I done!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem.
Glad I could help:)