This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ibrown
Contributor
‎2024-01-08 09:32 AM
Jump to solution

Management logs

Hello All,

I've noticed that since I've upgraded to an R81.20 smartcenter server, we are only keeping 8 days of the consolidated logs available for querying. The log server, which is also the smartcenter server,  has the local logs policy set on it for 60 days or purge when less than x space. The log partition has more than x and the logs show no triggering of the policy, so I don't know why it's rolling at such a short period.

 

Anyone else seen this and fixed it ?

 

Many thanks

Ian

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-10 12:49 AM
In response to ibrown
Jump to solution

It's possible to see if they were deleted in $FWDIR/log/fwd.elg

If this is cleaning due to disk space you should see messages similar to the following:

CCyclicLogging::_moveFile: moving file: YYYY-MM-DD_HHMMSS.log, for deletion....
FWLOG_MAINTENANCE - RemoveFilesFromCLDir: removing file: YYYY-MM-DD_HHMMSS.log from dir....

Other things you can do is use log forwarding to another server with more storage.

One last thing, upgrade packages and JHF are uploaded to same partition as the logs so if you have a lot of old packages you can consider deleting them.

Kind regards, Amir Senn

View solution in original post

0 Kudos
13 Replies
the_rock
MVP Gold
MVP Gold
‎2024-01-08 10:09 AM
Jump to solution

Hey Ian,

I had been using R81.20 more than a year now and had never seen this issue. You noticed it after the upgrade you said?

Andy

Best,
Andy
0 Kudos
ibrown
Contributor
‎2024-01-09 09:22 AM
In response to the_rock
Jump to solution

Hello,

well I've noticed it in the last month, but it might have been since the upgrade. I tend not to need to look at logs longer than today/yesterday very often luckily.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-01-09 09:28 AM
In response to ibrown
Jump to solution

I saw answer @Amir_Senn just gave and I would also verify the same.

Best,

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-08 10:57 AM
Jump to solution

What version did you upgrade from?
We changed the log indexing in one of the R81.x versions, which requires triggering a manual reindex after doing an upgrade.
Otherwise, only logs from the day you performed the upgrade forward will be indexed.

0 Kudos
ibrown
Contributor
‎2024-01-09 09:21 AM
In response to PhoneBoy
Jump to solution

Hello,

it was R80.40. it's not stuck on that date though, it's a rolling 8 days. Which I cannot find anywhere.

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-09 09:16 AM
Jump to solution

2 things to check:

a. How much free storage you have on logs partition.

b. Try to open manually a log file. It is possible you still have the logs but no indexes.

Capture3.PNG

Kind regards, Amir Senn
0 Kudos
ibrown
Contributor
‎2024-01-09 09:28 AM
In response to Amir_Senn
Jump to solution

Hello,

We are currently higher than the policy (not that it appears to be paying any attention to it) with just under 11gb free and the daily consolidated log is around 1gb. I checked if I could open any other files and the number are the same, so it's not that it isn't indexing them. It really does seem to be pruning them.

thanks

 

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-10 12:49 AM
In response to ibrown
Jump to solution

It's possible to see if they were deleted in $FWDIR/log/fwd.elg

If this is cleaning due to disk space you should see messages similar to the following:

CCyclicLogging::_moveFile: moving file: YYYY-MM-DD_HHMMSS.log, for deletion....
FWLOG_MAINTENANCE - RemoveFilesFromCLDir: removing file: YYYY-MM-DD_HHMMSS.log from dir....

Other things you can do is use log forwarding to another server with more storage.

One last thing, upgrade packages and JHF are uploaded to same partition as the logs so if you have a lot of old packages you can consider deleting them.

Kind regards, Amir Senn
0 Kudos
ibrown
Contributor
‎2024-01-10 09:00 AM
In response to Amir_Senn
Jump to solution

Hello Amir,

you are correct it is deleting them. Hmm, now I need to work out why.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-01-10 03:16 AM
Jump to solution

Did you reindex old log files post upgrade or remove them?

 

PMTR-60610: R81 includes the new mechanism for log indexing.

Before you upgrade a Management Server or Log Server that uses an external storage device to keep the log data, you must follow the instructions in sk66003 to change the location of the existing log indexes.

This applies only if it is necessary to keep the existing log indexes and use them after the upgrade.

This applies to Security Management Server, Log Server, Multi-Domain Security Management Server, Multi-Domain Log Server, SmartEvent Server, StandAlone Server. R81

GNG-1259,PMTR-52941 R81 includes new logs indexing mechanism, so when upgrading Management server/Log Server/Multi-Domain Server/Multi-Domain Log Server/SmartEvent from R80.x, old log indexes are not upgraded.

The indexing mechanism will re-index the last 24 hours automatically. To increase the period of offline indexing (how far in the past to re-index the logs), see sk111766.

CCSM R77/R80/ELITE
0 Kudos
ibrown
Contributor
‎2024-01-10 09:01 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

during the upgrade, I wasn't too fussed, so I let it do it's own thing. It's since then it's been purging the logs.

0 Kudos
ibrown
Contributor
‎2024-01-16 09:29 AM
In response to ibrown
Jump to solution

Thank to all. I've expanded /var/log and we are good. I think my problem was that I was looking at the free space in /var/log during the day after it has purged and of course it was dropping below the limit by midnight and the purge was kicking off.

So many thanks for the help all !

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-01-16 09:38 AM
In response to ibrown
Jump to solution

Thanks for sharing mate, glad its sorted out!

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events