- Products
- Learn
- Local User Groups
- Partners
- More
This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Eastern Africa
- Israel
- Nordics
- Middle East and Africa
- Balkans
- Italy
- Bulgaria
- Cyprus
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
The Great Exposure Reset
24 February 2026 @ 5pm CET / 11am EST
CheckMates Fest 2026
Watch Now!AI Security Masters
Hacking with AI: The Dark Side of Innovation
CheckMates Go:
CheckMates Fest
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- Audit script
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Audit script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_rock
MVP Diamond
Hey guys,
Happy weekend!
If someone would be willing to try attached script, be free to let me know if results seem accurate or not? I tested in the lab and seemed more less right. It essentially gives clish commands and also audit for the last 30 days. I wont paste all I got, but here is the snipper and then very end.
Lab:
[Expert@CP-GW:0]# ./audit-history.sh
============================================================
Check Point Gaia - Admin/Audit activity (last 30 days)
Host: CP-GW
Generated: Sat Feb 14 13:22:57 EST 2026
============================================================
-------------------- CLISH HISTORY -------------------------
CmdNo Command
2 show dns primary
3 show dns secondary
4 show dns tertiary
5 show Notes:
6 show allowed-client all
7 show version all
8 show interfaces all
9 show route
10 show arp dynamic all
11 show vpn tunnels
12 show arp dynamic all
13 show arp static all
14 show arp proxy all
15 show version all
16 show interfaces
17 show route
18 show uptime
19 show asset all
20 show snapshots
21 show backups
22 show-config state
23 show version all
24 show asset all
25 show asset all
26 show configuration
27 show version all
28 show sysenv all
29 show sam status
30 show config-state
31 show config-state
32 show installer status
33 show sam status
34 show version all
35 show configuration
36 show configuration
37 show configuration
38 show configuration
39 show configuration
40 show configuration
41 show configuration
42 show configuration
43 show configuration
44 show configuration
45 show configuration
46 show configuration
47 show version all
48 show password-controls all
49 show configuration
50 show password-controls min-password-length
51 show password-controls all
52 show configuration
53 show password-controls min-password-length
54 show password-controls all
55 show configuration
56 show password-controls min-password-length
57 show password-controls all
58 show configuration
59 show password-controls min-password-length
60 show version all
61 show ntp active
62 show ntp servers
63 show allowed-client all
64 show ssh server password-authentication
65 show ssh server permit-root-login
66 show version all
67 show version all
68 show domainname
69 show dns suffix
70 show dns primary
71 show dns secondary
72 show dns tertiary
73 show interface erspan0
74 show interface erspan0
75 show interface eth0
76 show interface eth0
77 show interface eth1
78 show interface eth1
79 show interface eth2
80 show interface eth2
81 show interface eth2.100
82 show interface eth2.100
83 show interface gre0
84 show interface gre0
85 show interface gretap0
86 show interface gretap0
87 show interfaces
88 show interfaces
89 show version all
90 show asset all
91 show sysenv all
92 show version all
93 show management interface
94 show interfaces
95 show dns
96 show ntp servers
97 show ntp active
98 show allowed-client all
99 exit
100 history
101 history
---------------- SYSTEM/AUDIT LOG HITS ---------------------
Files scanned (recently modified):
- /var/log/messages
- /var/log/messages.1
- /var/log/messages.2
- /var/log/messages.3
- /var/log/messages.4
- /var/log/messages.5
- /var/log/messages.6
- /var/log/messages.7
- /var/log/secure
Matches (filtered by last 30 days + regex: (audit|Audit|clish|gclish|WebUI|syslog|sudo|COMMAND=|sshd|login|logged in|logout|cpconfig|cpstop|cpstart|installer|expert|dbedit|mgmt_cli|api|policy|install)):
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 91%
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 92%
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 93%
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 94%
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 95%
Feb 14 11:48:48 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 96%
Feb 14 11:48:49 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 97%
Feb 14 11:48:51 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Validating candidates 98%
Feb 14 11:48:52 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Processing candidates 0%
Feb 14 11:48:52 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Processing candidates 2%
Feb 14 11:48:52 2026 CP-GW xpand[10825]: admin localhost t +installer:update_status_message Processing candidates 3%
Feb 14 11:48:52 2026 CP-GW xpand[10825]: adm
Notes:
- Gaia 'Audit' syslog category covers admin operations from WebUI and Gaia Clish. [1](https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/AdminGuides_Locally_Managed/E...)
- If your appliance rotated/purged logs earlier, older entries may be missing
Best,
Andy
Andy
Hey guys,
Happy weekend!
If someone would be willing to try attached script, be free to let me know if results seem accurate or not? I tested in the lab and seemed more less right. It essentially gives clish commands and also audit for the last 30 days. I wont paste all I got, but here is the snipper and then very end.
Lab:
[Expert@CP-GW:0]# ./audit-history.sh
============================================================
Check Point Gaia - Admin/Audit activity (last 30 days)
Host:
Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
0 Replies
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
©1994-2026 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
About Us
UserCenter