This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nadezhda
Contributor
‎2023-09-22 02:57 AM

SmartEvent storage depth

Logging of events on CheckPoint equipment is organized using SmartEvent server. Event log viewing is performed using the Security Management Server console (software versions on both serversR81.10). However, the event storage depth is no more than 2-3 days, which does not meet the current needs.

How can we increase the event storage depth on CheckPoint SmartEvent server to 15-30 days?

Labels
0 Kudos
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-22 03:45 AM

sk111766: R80.x & above SmartLog/SmartEvent server doesn't index/show logs older than 1-14 days back

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nadezhda
Contributor
‎2023-09-22 03:57 AM
In response to G_W_Albrecht

Yes, we have seen that sk, thanks, but in $RTDIR/log_indexes we also contain logs longer than 3 days, so it probably doesn't fit for us

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-22 04:13 AM
In response to Nadezhda

Then ask CP TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-09-22 07:26 AM
In response to Nadezhda

I agree with @G_W_Albrecht ...if that sk does not help, TAC is your next avenue.

Andy

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-10-17 05:57 AM
In response to Nadezhda

Different indexes cores could have different definitions. You can check $FWDIR/conf/log_policy.C for advanced options. There's a chance that the logs are available but indexes are not, you can check it by trying to open log file manually of older dates and see if you can see the event in this mode (which is non-index mode).

Also, you should check log retention definitions on the SmartEvent server itself. If the server is short on storage it might trigger emergency log cleanup and might explain why this isn't available.

Kind regards, Amir Senn
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-10-17 06:05 AM

What is the storage capacity / utilisation of the machine?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events