Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
xoy74
Explorer

Search for a user's last login date/time

Hello,

We have a Checkpoint 5100 Firewall cluster on premise. We have a few hundred users connecting through Endpoint Security to work from home. Many of those have left though and I want to put in place a procedure to clean them up. So I basically want to delete anyone who hasn't logged in in the last 60 days or so.

Right now the only way I know to do that is to take each account and manually search in the Logs section of the Smart Console for their username and something like Action:"Log In", with a set interval of the last 2 months, which will give me their last few logins.

Is there a way to run the same log search query from SSH, in expert mode ? If I could do that, I can get a list of users as a text file and write a simple script to run through the whole list.

Thanks for any pointers and Best Regards.

0 Kudos
7 Replies
Chris_Atkinson
Employee
Employee

What authentication method is used for these users out of interest - Active Directory, Radius or other?

0 Kudos
xoy74
Explorer

They use PKCS #12 certificates.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
xoy74
Explorer

Thanks very much for the reply. Unfortunately I had no luck trying to figure out the syntax of a query similar to what I am using in the Smart Console. In the smart console I am simply selecting a date range and entering something like "action:"Log In" username".

0 Kudos
PhoneBoy
Admin
Admin

You have two issues here:

  • You will need to pipe the output through the "grep" command to pull out the relevant log entries. This is standard Unix command line foo.
  • fw log and CPLogFilePrint only work on the current log file. You will have to run this on multiple log files in succession to get the last 60 days.

If you're using R81 and above, you can use the show logs API, which can also be called via the CLI.
This supports queries similar to SmartConsole.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.8%20 

0 Kudos
Stephen_Slater
Employee
Employee

I've been seeing more customers using API for actions like this recently, If PhoneBoy's Logprint commands dont work out, you might be able to leverage this from another device, through API.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

0 Kudos
PhoneBoy
Admin
Admin

I mentioned that exact API above 🙂

0 Kudos