This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2024-09-26 07:34 AM
Jump to solution

Smart-1 600-S server acting as main log server

Morning all!

Running R81.20 Take 53

2 node active/standby cluster

SmartEvent (log server) running on a Smart-1 600-S appliance

Management server is running in a VM (backup log server)

 

2 questions.

  1. I've recently been looking at my log settings as I'm seeing a pop-up in SmartConsole that my /opt partition is under 2GBs.  I don't know where this alert is referring to as I've checked my disks using df -h and also looked at the system information information in SmartView Monitor...
  2. If I look at $FWDIR/log on both of my security gateways, I'm seeing a ton of logs like this:
  • Aug 2 23:59 2024-08-03_235900.logaccount_ptr
    Aug 2 23:59 2024-08-03_235900.loginitial_ptr

Why are these logs being stored here and ALSO on my log server?

 

Thanks guys

 

Here are some additional issues I may have found:

I've looked in the R81.20 admin guide for configuring logging and found this article - but I do not see the options it is describing:

Also It does not appear I'm forwarding the logs from my gateways even though I'm seeing the logs on my two log servers...

 

 

 

 

 

Labels
Preview file
122 KB
Preview file
63 KB
Preview file
70 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2024-09-27 05:29 AM
In response to Joe_Kanaszka
Jump to solution

Um, good question...not sure about smart console, might be hard to tell unless maybe from "old school" sv monitor, otherwise, it would pop up 100% when you log into web UI, for sure.

You cant really tell "free disk" portion, hehe. You need to do search similar to one I sent you.

Or, you can do below.

Andy

du -h /opt | sort -h

View solution in original post

(1)
21 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-09-26 08:04 AM
Jump to solution

Hi,

1. Would check on both SMS and on log server/SmartEvent

2. You might have local logging at time. This could be caused of servers are not available, connectivity issues, heavy load of logs etc. To solve this, I would go to all gateways/clusters objects you have, go to Logs -> Additional Logging , in there activate log forwarding to your log server and select a time for this. This should take care of this.

Kind regards, Amir Senn
(1)
Joe_Kanaszka
Advisor
‎2024-09-26 08:23 AM
In response to Amir_Senn
Jump to solution

Thank you Amir.!  Please do me a favor a take a look at my screenshots above.   In the second screenshot it says "Send a copy..."

So does this mean that the logs are stored on the security servers and the log server?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-26 08:44 AM
In response to Joe_Kanaszka
Jump to solution

Hey brother, thats exactly what it means, yup.

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-09-26 08:50 AM
In response to the_rock
Jump to solution

Thanks Andy!  So what's the point of having a log server if the logs are going to be stored on the gateway anyway?  

 

Sorry - here's the screenshot I was referring to from my cluster object:

Preview file
95 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-26 08:54 AM
In response to Joe_Kanaszka
Jump to solution

Hey Joe,

So one way to be 100% positive fw is NOT logging locally is below command.

watch -d ls -lh $FWDIR/log/fw.log (ctrl+c to stop)

Leave it for 30 seconds or minute or so, if it stays at 8.2K, that without any doubt proves its NOT logging locally, but to the log server.

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-09-26 09:09 AM
In response to the_rock
Jump to solution

Thanks Andy - my fw.log file on my security GW is at 8.3K. (I didn't stop using the command)

Why do I have all these old .log, .logaccount_ptr, and loginitial_ptr files on my security GWs?

Aug 25 23:59 2024-08-25_235900.log

Aug 24 23:59 2024-08-25_235900.logaccount_ptr

Aug 24 23:59 2024-08-25_235900.loginitial_ptr

 

 

 

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-26 09:13 AM
In response to Joe_Kanaszka
Jump to solution

Is it in same dir? $FWDIR/log?

(1)
Joe_Kanaszka
Advisor
‎2024-09-26 09:18 AM
In response to the_rock
Jump to solution

Yes.

/opt/CPsuite-R81.20/fw1/log

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-26 06:21 PM
In response to Joe_Kanaszka
Jump to solution

I have bunch of those as well. But, my fw.log file ALWAYS shows 8.2 K, which tells me 100% its NOT logging locally, otherwise, that file would be growing rapidly.

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-09-27 04:53 AM
In response to the_rock
Jump to solution

Morning Andy - Happy Friday!  A follow up question...

I'm seeing this pop-up every day now.  What device is this coming from and how can I find out perhaps using df -h or du -h?

I can't seem to find the linux command to get me the free space on a directory - in this case /opt.

Preview file
16 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-27 05:07 AM
In response to Joe_Kanaszka
Jump to solution

Hey brother,

No problem man, questions are free, answers may cost money...I charge 5 easy payments of ONLY 49.99$ 😉

Just kidding, of course you can ask as many questions!

Anywho, here is how you "tackle" this...

So, since we are talking /opt, do something like this from expert mode:

find /opt -size +300M

That will look for any files bigger than 300MBs and of course, you can replace 3 with any other digit.

Here is example in my lab.

Andy

Btw, just for the context, IF you see any of below files, do NOT delete them, as anything jumbo related in sub dir LastTake is needed to install further jumbo fixes.

[Expert@CP-GW:0]# find /opt -size +300M
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#79/LastTake/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#84/LastTake/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#84/Completely/fw1_backup_HOTFIX_R81_20_JUMBO_HF_MAIN.tgz
[Expert@CP-GW:0]#

 

(1)
Joe_Kanaszka
Advisor
‎2024-09-27 05:24 AM
In response to the_rock
Jump to solution

Thanks Andy!

 

So as far  as that message I'm receiving when I open SmartConsole talking about having less than 2GB of free disk space on /opt...is there no way to tell which device is reporting this without searching via command line all my devices?

 

Also is there a way to find the "free disk" space of a partition (/opt)?  My "GoogleFu"v is failing me   lol!

 

Thanks again Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-27 05:29 AM
In response to Joe_Kanaszka
Jump to solution

Um, good question...not sure about smart console, might be hard to tell unless maybe from "old school" sv monitor, otherwise, it would pop up 100% when you log into web UI, for sure.

You cant really tell "free disk" portion, hehe. You need to do search similar to one I sent you.

Or, you can do below.

Andy

du -h /opt | sort -h

(1)
Joe_Kanaszka
Advisor
‎2024-09-27 05:39 AM
In response to the_rock
Jump to solution

Cool.  Thanks again man - have a good weekend!

the_rock
MVP Gold
MVP Gold
‎2024-09-27 05:57 AM
In response to Joe_Kanaszka
Jump to solution

Did that help? Btw, you can open old school sv monitor from c/programfilesx86/checkpoint/R81.xx/program (I think) and then look for SVmonitor icon (I believe its sort of orangy color). Or just log into web UI and see which device shows it.

Nice weekend as well!

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-09-27 06:59 AM
In response to the_rock
Jump to solution

Thanks Andy - you're talking about SmartView Monitor right?  

Preview file
9 KB
the_rock
MVP Gold
MVP Gold
‎2024-09-27 07:00 AM
In response to Joe_Kanaszka
Jump to solution

You got it.

(1)
the_rock
MVP Gold
MVP Gold
‎2024-09-27 06:13 AM
In response to Joe_Kanaszka
Jump to solution

Hey Joe,

Just to help you further, I attached some screenshots about what I was referring to, you can also tell this way.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

  

(1)
Joe_Kanaszka
Advisor
‎2024-09-27 07:00 AM
In response to the_rock
Jump to solution

That's what I thought.  Thanks again Andy!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-27 07:01 AM
In response to Joe_Kanaszka
Jump to solution

No problem!

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-09-28 04:01 AM
In response to Joe_Kanaszka
Jump to solution

This is how you save locally to GW, it might not be available if you have more than 1 log server.

Capture.PNG

 If you have local logging it's because reasons I specified. By using log forwarding (turned off on you cluster by screenshot 2024-09-26 110718.jpg) you will schedule those logs.

You probably don't have that much logs per log file but it may accumulate over a long period of time.

/var/log partition is also accommodating upgrade packages and JHF packages. So if you have a lot of those you can remove some of the older ones.

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events