Solved: Application and URL filtering Report from last mon...

Charlie_Dobson · ‎2019-01-15

Hello all,

I am trying to run an application and URL filtering report from last month (which just happens to be "last year"). I specify a custom date range of 12/1/2018 to 12/15/2018 with this query:

product:("Application Control" OR "URL Filtering") AND NOT action:"Redirect" AND type:("Log" OR "Alert" OR "Session") AND NOT app_category:"Network Protocols" AND user:"username (logonname)" AND ("username")

Where "username" and "logonname" are replaced with the appropriate AD attributes, however I do not get any data in the report. If I change the date range to 12/15/2018 to 12/31/2018 I get the same result. However, if I change the date range to 1/1/2019 through 1/8/2019, I get a populated report.

Our Check Point admin left about 5 months ago and I'm still learning all of this, so please bear in mind that I'm still new to all of this.

Is there something I need to do to get the data from last month? Is it automatically archived off into an older database? Is there a process that archives off previous years automatically?

I am using the R80.10 SmartConsole for viewing reports.

PhoneBoy · ‎2019-01-16

Yes, removing index files will affect reporting and the ability to search logs.

Recommend this SK: How to run SmartEvent Offline Jobs for multiple log files

And also this thread: https://community.checkpoint.com/thread/6624-smartlog-only-look-back-14-days-how-to-reindex-90-days-...

View solution in original post

PhoneBoy · ‎2019-01-15

If you look for logs from that timeframe, are they found?

Charlie_Dobson · ‎2019-01-16

Where do I check?

PhoneBoy · ‎2019-01-16

In Logs and Monitor (or SmartView).
Go to the Logs tab and click on the clock in the search bar.

Pull down "Custom" and specify the desired timeframe.

The management (or log server) will delete log files if there is limited disk space.

Settings are specified in your management object.

Charlie_Dobson · ‎2019-01-16

Ah, OK. Yes, I was using the custom timeframe option to specify dates from 12/1/2018 to 12/15/2018 and nothing comes up. Same with 12/16/2018 to 12/31/2018. In fact, I only see stuff as far back as 1/2/2019 and anything before that is blank.

As for the settings on the log server, they are set to alert at 20 MBytes and start deleting at 5000 MBytes, and to delete index files older than 14 days. Disk space on our logging server according to "df -h" is only at 1% used.

It seems that the deleting of the index files older than 14 days is effecting the reports? Does that mean the data is there but since it isn't indexed it isn't showing up?

PhoneBoy · ‎2019-01-16

Yes, removing index files will affect reporting and the ability to search logs.

Recommend this SK: How to run SmartEvent Offline Jobs for multiple log files

And also this thread: https://community.checkpoint.com/thread/6624-smartlog-only-look-back-14-days-how-to-reindex-90-days-...

View solution in original post

Charlie_Dobson · ‎2019-01-16

Thanks so much! I'm running the re-index now.

Charlie_Dobson · ‎2019-01-17

I ran the re-index and used $RTDIR/scripts/doctor-log.sh -f to verify that the indexing status is OK, however I still cannot pull data from more than 14 days. Is there any way to verify if the data is actually there in the database?

PhoneBoy · ‎2019-01-17

Might be a good idea to open a TAC case so we can troubleshoot.

Matt_Ricketts · ‎2019-01-17

I agree with Dameon. My initial thought was the default 14 days of Index files. However I keep 32 days of Indexes and when I filter my logs on December 2018, I am only seeing logs from 23:59:43 and newer for Dec 31st.

Application and URL filtering Report from last month

Reports