This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dale_Lobb
Advisor
‎2022-06-09 06:42 PM

Looking at CPLogInvestigator. Daily stats do not match total logs per day. What gives?

I am investigating the sheer number of logs we are generating on our management system.  According to my SIEM admins, the number of logs being ingested has more than doubled in the last year.

  In any case, I'm looking at CPLogInvestigator.  But what I am seeing does not make sense:  The log stats per day do not match the number of logs for the last day, not even close.    Here is a snippet:

# CPLogInvestigator -a -m -p

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R80.40/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R80.40/fw1/log/fw.log from log 0

..................................................
Reading log file is DONE.


Total scanned 9618460 logs out of 9618459 logs in file
Scanned logs dates are from 09-06-2022 14:26:26 to 10-06-2022 18:33:25

========================================
Product log statistics (Per Day):
Days of counting: 1.17152
Product name: Anti Malware Amount of logs:                                312 Average: 266
Product name: Application Control Amount of logs:                112390 Average: 95935
Product name: Connectra Amount of logs:                                        7 Average: 5
Product name: ESOD Amount of logs:                                           118 Average: 100
Product name: Firewall Amount of logs:                                            6 Average: 5
Product name: HTTPS Inspection Amount of logs:                 1291956 Average: 1102806
Product name: Identity Awareness Amount of logs:                   65266 Average: 55710
Product name: MTA Amount of logs:                                           1640 Average:  1399
Product name: N/A Amount of logs:                                        601007 Average: 513016
Product name: New Anti Virus Amount of logs:                                  9 Average: 7
Product name: Security Gateway/Management Amount of logs:       58 Average: 49
Product name: IPS Amount of logs:                                              5763 Average: 4919
Product name: System Monitor Amount of logs:                               11 Average: 9
Product name: Threat Emulation Amount of logs:                      51085 Average: 43605
Product name: Threat Extraction Amount of logs:                            11 Average: 9
Product name: URL Filtering Amount of logs:                           117484 Average: 100283
Product name: VPN-1 & FireWall-1 Amount of logs:               7371478 Average: 6292254


Total logs per day:

Date | GB | Count
<snip>
2022-06-08 | 33.9062 | 331916400
2022-06-09 | 27.6229 | 266948294
fw.log          | 1.9735   |    19235418

 

  If you notice, the total number of logs in the section "Product log statistics (Per Day):", which is a ~28 hour period, is 9,618,601.  But the total number of logs on 6/8/2022 is over 331 million and on 6/9/2022, today is 266 million.

  What am I to make of this?

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-06-10 05:54 AM

Perhaps the former number (9,618,601) counts the amount of consolidated session logs, while 266 million is the total number of raw unconsolidated logs sent from the gateway to the log server?  A single consolidated session log consists of many, many raw logs sent by the gateway for individual product blades and updates for Accounting and such that are rolled up at the log server level.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-10 08:57 AM

Log Exporter sends a log every 10 minutes for log entries that have accounting data as well as an entry when the session ends.
This can mean a single log entry in SmartView can generate many, many logs to your SIEM.

0 Kudos
prakash7
Explorer
‎2023-02-23 10:00 PM
In response to PhoneBoy

Product name: N/A Amount of logs:                                        601007 Average: 513016

 

What is N/A logs?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-24 06:23 PM
In response to prakash7

N/A means it's not related to a specific product.
I assume this is just a log count since the last "marker" (what this appears to be).

0 Kudos
prakash7
Explorer
‎2023-02-24 09:05 PM
In response to PhoneBoy

Hi phoneboy,

N/A gives higher logs. It's normal or abnormal

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events