- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello!
The SmartConsole does not display old logs, for example, for dates older than 20-30 days.
The memory on the management server is sufficient. We also don't see logs in https://<ip-address>/SmartView.
HCP did not detect any critical errors. What direction can we go to find a solution? The time zone on the management server is correct. The version is R81.
Hi,
2 questions:
1) Did you perform upgrade recently? From R81 we started using a newer version of indexing engine and if the old logs are indexed prior to the upgrade they will need to be re-indexed.
2) In SmartConsole logs view, you can select the menu next to the query line and select "Open log file". Can you see the older log files there?
1) No, no changes have been made.
2) Open Log Files has data for later dates. We think this is a cosmetic problem, but we don't know how to fix it.
Run "ls $FWDIR/log/" on your log server and check if you indeed have those log files.
Yes, these magazines are available. Because when we click on a file in "Open Log Files...", the logs from earlier months are opened.
If you have them in the log files you can open them with and see them in non-index mode. If you want to index them you can use the following sk:
But I recommend not to index all at once. Depending on the amount of logs you have this could put some strain on the log server.
Do I understand correctly that the indexing option can also be configured in Daly Logs Retention Configuration? Or is it recommended to work only with sk111766?
Could you describe in more detail the nature of the two settings in this window?
As I understood the first setting "Keep indexed logs for no longer than" answers the number of days for indexed logs. And the parameter "Keep log files for an extra" is responsible for the number of days that can be indexed? How would you recommend to configure these parameters, so that we can look through the logs for at least the last 2 months?
In the daily retention you can set how long to keep the logs and indexes but not re-index them.
We have the logs and we have the indexes. Normal search in the logs view will work only if you have indexes but if the log files still exist you can open them (but one at a time though) and they could still be re-indexed any time.
So you can keep the indexes for X days and that is the amount of day you can search in the logs view without opening the log files one at a time. The logs are stored for extra Y days, which mean you will have long retention of X+Y.
The amount of days that I can recommend could vary over some factors. I think that using the retention by disk space is fine, just make sure that 10% is above 10 GB or something else you're comfortable with.
There is a setting for SmartLog Daily Logs Retention Configuration found in SMS object > Logs > Storage that is set to:
Keep indexed logs for no longer than one day
Keep log files for an extra 3 days
We have these settings. Should we edit them? How would you recommend editing them?
That's up to you preferences on how long you want to keep the logs. If you want to keep them as long as you can you can keep the disk space management of deleting the oldest once getting below 10%, this also depends on the volume of your log partition.
We have files with old logs in "Open Log Files...", but they do not show up in a simple SmartConsole search. That is, we observe a cosmetic error that we cannot search logs older than 20 days. There is disk space (more than 60% of the logs memory is free) and the logs are not deleted. Maybe there is a way to fix the cosmetic log display problem?
Check what are your oldest indexes here on the log server with "ls $RTDIR/log_indexes/"
I had similar issue with client once and TAC gave me below, which fixed the issue
Andy
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY