Thank you Amir.!  Please do me a favor a take a look at my screenshots above.   In the second screenshot it says "Send a copy..."

So does this mean that the logs are stored on the security servers and the log server?

Hey brother, thats exactly what it means, yup.

Andy

Thanks Andy!  So what's the point of having a log server if the logs are going to be stored on the gateway anyway?  

Sorry - here's the screenshot I was referring to from my cluster object:

Hey Joe,

So one way to be 100% positive fw is NOT logging locally is below command.

watch -d ls -lh $FWDIR/log/fw.log (ctrl+c to stop)

Leave it for 30 seconds or minute or so, if it stays at 8.2K, that without any doubt proves its NOT logging locally, but to the log server.

Andy

Thanks Andy - my fw.log file on my security GW is at 8.3K. (I didn't stop using the command)

Why do I have all these old .log, .logaccount_ptr, and loginitial_ptr files on my security GWs?

Aug 25 23:59 2024-08-25_235900.log

Aug 24 23:59 2024-08-25_235900.logaccount_ptr

Aug 24 23:59 2024-08-25_235900.loginitial_ptr

Is it in same dir? $FWDIR/log?

Yes.

/opt/CPsuite-R81.20/fw1/log

I have bunch of those as well. But, my fw.log file ALWAYS shows 8.2 K, which tells me 100% its NOT logging locally, otherwise, that file would be growing rapidly.

Andy

Morning Andy - Happy Friday!  A follow up question...

I'm seeing this pop-up every day now.  What device is this coming from and how can I find out perhaps using df -h or du -h?

I can't seem to find the linux command to get me the free space on a directory - in this case /opt.

Hey brother,

No problem man, questions are free, answers may cost money...I charge 5 easy payments of ONLY 49.99$ 😉

Just kidding, of course you can ask as many questions!

Anywho, here is how you "tackle" this...

So, since we are talking /opt, do something like this from expert mode:

find /opt -size +300M

That will look for any files bigger than 300MBs and of course, you can replace 3 with any other digit.

Here is example in my lab.

Andy

Btw, just for the context, IF you see any of below files, do NOT delete them, as anything jumbo related in sub dir LastTake is needed to install further jumbo fixes.

[Expert@CP-GW:0]# find /opt -size +300M
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#79/LastTake/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#84/LastTake/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#84/Completely/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
[Expert@CP-GW:0]#

Thanks Andy!

So as far  as that message I'm receiving when I open SmartConsole talking about having less than 2GB of free disk space on /opt...is there no way to tell which device is reporting this without searching via command line all my devices?

Also is there a way to find the "free disk" space of a partition (/opt)?  My "GoogleFu"v is failing me   lol!

Thanks again Andy

Cool.  Thanks again man - have a good weekend!

Did that help? Btw, you can open old school sv monitor from c/programfilesx86/checkpoint/R81.xx/program (I think) and then look for SVmonitor icon (I believe its sort of orangy color). Or just log into web UI and see which device shows it.

Nice weekend as well!

Andy

Thanks Andy - you're talking about SmartView Monitor right?  

You got it.

Hey Joe,

Just to help you further, I attached some screenshots about what I was referring to, you can also tell this way.

Andy

That's what I thought.  Thanks again Andy!

No problem!

This is how you save locally to GW, it might not be available if you have more than 1 log server.

 If you have local logging it's because reasons I specified. By using log forwarding (turned off on you cluster by screenshot 2024-09-26 110718.jpg) you will schedule those logs.

You probably don't have that much logs per log file but it may accumulate over a long period of time.

/var/log partition is also accommodating upgrade packages and JHF packages. So if you have a lot of those you can remove some of the older ones.