This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2022-04-06 05:07 PM

Smart Event Log Indexes Deletion

Hello Checkmates,

Log indexes are not being removed from /var/log/opt/CPrt-R80.40/log_indexes on Smart Event server and consuming more than 50% of 1.2TB log partition.

Smart Event server version is R80.40 JHF GA Take 94.

du -h --max-depth=1 /var/log/opt/CPrt-R80.40 | sort -n -r
621G /var/log/opt/CPrt-R80.40
619G /var/log/opt/CPrt-R80.40/log_indexes
200M /var/log/opt/CPrt-R80.40/log_indexer
111M /var/log/opt/CPrt-R80.40/conf
20M /var/log/opt/CPrt-R80.40/Database
1.1G /var/log/opt/CPrt-R80.40/log
0 /var/log/opt/CPrt-R80.40/events_db
0 /var/log/opt/CPrt-R80.40/distri

Within /var/log/opt/CPrt-R80.40/log_indexes there are a lot of folders named audit_*, other_*, resources_* and smartevent_* (example below), that date back to March 2021.

audit_2022-04-06T00-00-00
other_2022-04-07T00-00-00
resources_2022-04-06T00-00-00
smartevent_2022-04-06T00-00-00

Daily log retention policy in Smart Console configured as below.
-Keep indexed logs for no longer than 14 days
-Keep log files for an extra 16 days.

Does sk117317 relate to this issue? Does a maintenance policy need to be configured on the server?

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2022-04-06 05:20 PM

My honest opinion...yes and yes. But, I will let smart event gurus confirm.

0 Kudos
Amir_Senn
Employee
Employee
‎2022-04-07 01:08 AM

The SK is relevant only if you run global SmartEvent, if not just make sure you installed DB.

You can look at $FWDIR/log/fwd.elg to see what is the loaded policy (install DB for non-global SmartEvent or restart fwd process on global).

Kind regards, Amir Senn
0 Kudos
Simon_Macpherso
Advisor
‎2022-04-10 04:35 PM
In response to Amir_Senn

Thanks @Amir_Senn. DB install was required after recent changes. 

0 Kudos
Ruan_Kotze
Advisor
‎2022-04-07 01:53 AM

Note that the SK is only applicable to Global SmartEvent / MDS.

I think the value configured on SmartConsole takes precedence, but it would still be worthwhile to check what the days_to_index value in your $INDEXERDIR/log_indexer_custom_settings.conf is.

0 Kudos
Simon_Macpherso
Advisor
‎2022-04-07 04:38 PM
In response to Ruan_Kotze

There is no days_to_index value configured in $INDEXERDIR/log_indexer_custom_settings.conf. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top