This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Roddy
Collaborator
‎2018-03-02 08:35 AM

Need help exporting log data from R80.10 MS

Greetings,

I upgraded management to R80.10 on December 19, 2017.  My new log server now is 93% full and I realize now after reading the Logging and Monitoring R80.10 Administration Guide, it is mostly useless.  I am trying to be objective here and not overly critical but there is only one sentence in this admin guide about managing logs:

"SmartEvent and Log Server use an optimization algorithm to manage disk space and other system resources. When the Logs and Events database becomes too large, the oldest logs and events are automatically deleted to save space."

No, deleting is not managing.  I have been copying off log files since R61 but now the logs are in database format and not flat files so it would be very helpful if I could learn how to get it done.  It is very likely this will only need to be done once - very soon I will have syslog running to a 5TB log server.

 

I like the idea about getting logs from Endpoint Management Server R77.30.03 into the R80.10 platform to unify all threat management.

Any help will be appreciated, best regards,

Dan

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2018-03-02 06:07 PM

Archiving log files works exactly the same way it worked in R61 and much earlier releases: Copy off the fw.log* files.

Yes, there is additional indexing and correlation that is done, but those indexes can be rebuilt when the logs are reimported into a system.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-02 11:45 PM
In response to PhoneBoy

Bear in mind rebuilding indexes can be painfully slow and resource intensive. We tried to import logs after R80 upgrade from R77.30 by copying back fw.log files and it took 3 days to import one week of logs... That's whilst processing new logs arriving from gateways. At the end we have up as MLM became useless.

So in short yes - you can archive the same way as before but be mindful about rebuilding indexes Smiley Happy or use old school tracker to view old logs Smiley Happy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events