Thanks , I have seen this sk article , but I have been told that this script is not compatible with R81.10 unfortunately 

That SK has itself been deleted 😉

I see the same, says has been deleted.

It has been indeed un-published. Use https://support.checkpoint.com/results/sk/sk65330

Thanks Andy , the issue I have though knowing which files can be safely deleted , as you can see from my output above , for example

8.8G    /var/log/opt/CPsuite-R80.30 - this directory is taking up 8.8G
within these directories I am not sure which files are safe to delete

Ok, got it...can you run find command on that dir? So say find /var/log/opt/CPsuite-R80.30 -size +500000000c

Andy

This what I get from that output 

[Expert@xxxx-xxx:0]# find /var/log/opt/CPsuite-R80.30 -size +500000000c
/var/log/opt/CPsuite-R80.30/fw1/log/2020-09-05_000000.log
/var/log/opt/CPsuite-R80.30/fw1/log/2020-09-04_000000.log
/var/log/opt/CPsuite-R80.30/fw1/log/2021-02-01_000000.log
/var/log/opt/CPsuite-R80.30/fw1/log/2020-08-16_000000.log
/var/log/opt/CPsuite-R80.30/fw1/log/2020-08-17_000000.log

Is it safe to delete the above files ?

I would say yes 8) But please also consult the following documents:

sk63361: How to clean up disk space on a Security Gateway or Security Management Server

sk114114: Disk space management tools do not delete logs from previous Security Management versions

Its from 2021 and 2020, Covid years my friend : - ). I think safe to delete.

Has anyone seen kcore file, ok to delete?

find / -type f -size +100000000 -exec ls -lh {} \; 2> /dev/null | awk '{ print $NF ": " $5 }' | sort -nk 2,2
/opt/CPsuite-R81.20/fw1/te_file_analyzer/proc/kcore: 128T
/proc/kcore: 128T
/var/log/aspose/opt/CPsuite-R81.20/fw1/aspose_jail/proc/kcore: 128T
/var/log/files_repository/Archive_Tool/8785455D-CDCA-49C6-B22F-D9325B260629/601178/proc/kcore: 128T

Ok to remove these 81 & 81.10 files, now that I"m no 81.20?

/var/log/CPda/repository/CheckPoint#Major#All#6.0#5#2#R81_T392/Check_Point_R81_T392_Fresh_Install_and_Upgrade_v1.tgz: 3.4G
/var/log/CPda/repository/CheckPoint#Major#All#6.0#5#3#R81.10_ignis_main_T335/Check_Point_R81.10_T335_Fresh_Install_and_Upgrade.tgz: 3.4G
/var/log/CPda/repository/CheckPoint#Major#All#6.0#5#4#R81.20_ivory_main_T631/Check_Point_R81.20_T631_Fresh_Install_and_Upgrade.tgz: 3.7G
/var/log/CPda/repository/CheckPoint#Major#All#6.0#5#3#BLINK_R81_10_T335_JHF_T45_GW/Blink_image_1.1_Check_Point_R81.10_T335_JHF_T45_SecurityGateway.tgz: 5.2G

This may explain...

Andy

https://www.linode.com/community/questions/21878/why-is-my-prockcore-file-so-large#:~:text=The%20nea....

Thanks!

Also, any harm getting rid of older stuff in the repository?  /var/log/CPda/repository    I have some R80.40 and R81 files not to mention R81.10 now.

How about these older R80.40 .dat files?

/var/log/files_repository/Raw_Files/D100C612-9D05-48AA-9F2A-F8C42528F100/600400/te_eu_fireball_11_9_990000400_600400.tgz: 505M
/var/log/opt/CPsuite-R81/fw1/log/mq_mng.elg: 657M
/var/log/opt/CPshrd-R80.40/cpview_services/CPViewDB_1616105839.dat: 853M
/var/log/opt/CPshrd-R80.40/cpview_services/cpview_services.dat: 872M
/var/log/opt/CPshrd-R80.40/cpview_services/CPViewDB_1600974992.dat: 879M
/var/log/opt/CPshrd-R80.40/cpview_services/CPViewDB_1611009647.dat: 927M
/var/log/opt/CPshrd-R81/cpview_services/CPViewDB_1628947028.dat: 953M

I always delete whatever is there after the upgrade. Maybe you can confirm 100% with TAC if its safe, but I never had any issues after deleting old files form that dir. Just make sure NOT to delete any files from dir called LastTake (cant recall where its located now, I think under /var/log as well), as that would affect next jumbo install.

Andy

@Daniel_Kavan , here is dir I was referring to (do NOT delete anything from here)

[Expert@CP-gw:0]# find / -name LastTake
/opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#26/LastTake
[Expert@CP-gw:0]#

I have the problem with some R81.20 machines.

I just wonder, because we added file deletion on the device object "Logs>Local Storage", when disk space is below 15%.
I for my point of view the device does not delete any files, so it looks like the disk space is not checked on the /var/log partition but only on the complete disk.

Am I right with that ? but this policy does not make any sense to me.

Filesystem                       Size  Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current   32G   19G   14G  57% /
/dev/md0                         290M  116M  160M  42% /boot
tmpfs                             31G  543M   31G   2% /dev/shm
/dev/mapper/vg_splat-lv_log      192G  174G   19G  91% /var/log

Which is funny because this SK says the "hardcoded limit" for specifying this limit is 25% https://support.checkpoint.com/results/sk/sk182048
Which suggests you may want to contact the TAC.

thank's for the sk on the mgmt server.

And I was wrong I had a look at the wrong directory, as always my backup files filled the /var/log partition.

Forgot to add the cronjob to delete the backups once per day.

Personally, I always found once a week is good enough doing a backup.

Best,

Andy