This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dkzndkqh
Contributor
‎2025-10-22 07:31 PM
Jump to solution

Smartview log export

I understand that in SmartView, the number of logs that can be exported at one time is currently limited to 1,000,000. Is there any way to work around this limitation? We are currently dealing with a ransomware incident and need to perform a full log investigation, so even if we filter the logs, exporting just one day’s worth would exceed 1,000,000 logs in just one hour. Alternatively, is there a more effective method to handle this?

0 Kudos
1 Solution

Accepted Solutions
12 Replies
Blason_R
MVP Gold
MVP Gold
‎2025-10-22 10:52 PM
Jump to solution

Did you try with mgmt_cli? I always export the logs using the same filter and then using jq with csv its the faster one

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
dkzndkqh
Contributor
‎2025-10-22 11:49 PM
In response to Blason_R
Jump to solution

Could you share the commands or filters you are using?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2025-10-23 12:28 AM
In response to dkzndkqh
Jump to solution

The filters are same as you give on smartlog command would be 

For example to filter port 587

mgmt_cli show logs new-query.time-frame "today" new-query.filter "service:TCP_587 AND blade:Firewall"

 

Output in json

mgmt_cli show logs new-query.time-frame "today" new-query.filter "service:TCP_587 AND blade:Firewall" --format json > /tmp/test.json

 Then edit with jq or jq -r to get the desired output in csv

Or Directly convert those in csv using cplgv.exe from  C:\Program Files (x86)\CheckPoint\SmartConsole\R82\PROGRAM and select export option to choose log file name

or if you want to specifically select then

use fw log command for particular log file from $FWDIR/log and then fitler the traffic for Accept or Drop or use grep accordingly

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
dkzndkqh
Contributor
‎2025-10-23 12:40 AM
In response to Blason_R
Jump to solution

What I want to do right now is extract data such as Time, Destination, Source User Name, Rule, Interface Direction, Policy Rule UID, Type, Interface, Source User DN, Machine Name, App Protocol, context_num, Policy Date, Service ID, Action, ID, Interface Name, Layer Name, Source Port, Product Family, Blade, Direction of Connection, lastupdatetime, Sequence Number, Source, Policy Name, id_generated_by_indexer, Database Tag, Log Server Origin, Service, connection_id, Origin, Marker, Destination Port, Protocol, High Level Log key, logid, sig_id, User, first, Policy Management, Destination Machine Name, and I want the values to be properly aligned in the corresponding columns when opened in Excel, just like when exporting from SmartView. Is that possible?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2025-10-23 12:46 AM
In response to dkzndkqh
Jump to solution

Then you should  use cplgv and export in csv

 

OR do that for every file then

 

fw log -l -n -p   /opt/CPsuite-R81.20/fw1/log/2025-09-03_000000.log  > /tmp/test.log

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
dkzndkqh
Contributor
‎2025-10-23 01:44 AM
In response to Blason_R
Jump to solution

ChatGPT의 말:

When I run fw log , the file size ends up being in the gigabyte range.  is that right ..?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-23 06:59 AM
In response to dkzndkqh
Jump to solution

Might be worth TAC case to confirm.

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-23 08:45 AM
In response to dkzndkqh
Jump to solution

That seems small. For me, 'fwm logexport' usually goes from a 2 GB original file to about 35 GB of text. I wrote a post a while ago about how I deal with exported log data.

the_rock
MVP Platinum
MVP Platinum
‎2025-10-23 11:47 AM
In response to dkzndkqh
Jump to solution

Gb range, sounds right.

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-10-23 12:48 PM
Jump to solution

Log exporter -> https://support.checkpoint.com/results/sk/sk122323

In combination -> how to export old logs with log exporter -> https://support.checkpoint.com/results/sk/sk183376

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-23 06:35 PM
Jump to solution

Having SmartView export more than 1 million records at a time is an RFE.

Repeated, tightly scoped queries to the get-logs API endpoint piped through jq can format the output in CSV, if you want to go that route.
Not sure it's possible to specify a date range in the query in SmartView (maybe @Tomer_Noy knows).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events