This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
Advisor
‎2023-01-16 02:51 AM
Jump to solution

Old log files not deleted on MDM server

Hi All,

I have a MDM server on R81.10 take 79 and disk is getting full because old log files are not deleted.

In the past, you had to edit a configuration file, but I was told you could configure a log policy from the MDM server object in SmartConsole. So that is what I did.

It does not make any difference what I configure in SmartConsole. The /var/log partition is getting full and I need to manually remove files. I even installed the database on the CMA's after changing the settings in SmartConsole in the MDM server object.

Not sure what  I am missing here. Followed the MDM admin guide.

Regards,
Martijn


Labels
0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-01-16 03:31 AM
Jump to solution

Hi Martijn,

If you changed a file in the past this might cause the issue because if you change definitions from the files it will override SmartConsole settings.

I would check if you have the following file: $FWDIR/conf/log_policy_extended.C . If so, you can try to change the name and re-install DB on CMA. (mv $FWDIR/conf/log_policy_extended.C $FWDIR/conf/log_policy_extended.C.ORIG )

You can verify what are the definitions loaded to the CMA by looking at fwd.elg of that CMA, look for difference between "loaded set" which is what the definitions try to load and "working set" are the definitions that actually gets enforced.

I think this will help you solve the issue or lead you in the right way.

 

Kind regards, Amir Senn

View solution in original post

(1)
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-16 03:19 AM
Jump to solution

Are there logs still in folders pertaining to old versions? Those won't get culled by the SmartConsile config iirc.

CCSM R77/R80/ELITE
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-01-16 03:31 AM
Jump to solution

Hi Martijn,

If you changed a file in the past this might cause the issue because if you change definitions from the files it will override SmartConsole settings.

I would check if you have the following file: $FWDIR/conf/log_policy_extended.C . If so, you can try to change the name and re-install DB on CMA. (mv $FWDIR/conf/log_policy_extended.C $FWDIR/conf/log_policy_extended.C.ORIG )

You can verify what are the definitions loaded to the CMA by looking at fwd.elg of that CMA, look for difference between "loaded set" which is what the definitions try to load and "working set" are the definitions that actually gets enforced.

I think this will help you solve the issue or lead you in the right way.

 

Kind regards, Amir Senn
(1)
Martijn
Advisor
Advisor
‎2023-01-16 05:22 AM
In response to Amir_Senn
Jump to solution

Amir,

Thanks!!! That was the issue.

I performed a clean R81.10 install for this MDM server, but imported the MDM database. Forgot all about this file we have changed in the earlier versions.

I renamed the log_policy_extended.C file and performed a mdmstop/mdsstart. After that, I could the the log_policy.C files was the current policy in fwd.elg and free disk space increased.

Regards,
Martijn

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-01-16 05:38 AM
In response to Amir_Senn
Jump to solution

Hi @Amir_Senn 

I think we should add an SK for this (if one does not currently exist)

 

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-01-16 05:55 AM
In response to Tal_Paz-Fridman
Jump to solution

I think that SK117317 covers it pretty good (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...).

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events