This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Garrett_Anderso
Advisor
‎2019-03-13 09:56 AM

R80.xx equivalent of CPLogInvestigator for Log Volume and SmartEvent sizing

Hello Community --

The R77x Sizing guide includes mention of CPLogInvestigator that would analyze Log Server and provide tangible metric to help intelligently size a SmartEvent appliance model.

What are our options for R80.xx ?    

How are customers (and resellers) to investigate log server volume -- and associated log levels -- to properly size SmartEvent solutions?   

Example:   customer only has "network log" enabled due to hardware limitations under current Log Server.  They would like to enable "full log" with accounting (for some use-cases).

We need to first collect data for current log volume and then extrapolate to different log density.

Product mgmt must have a strategy formulated on this.  

advise.   -Garrett

reference:

  • Network Log - Generates a log with only basic Firewall information: Source, Destination, Source Port, Destination Port, and Protocol.
  • Log - Equivalent to the Network Log option, but also includes the application name (for example, Dropbox), and application information (for example, the URL of the Website). This is the default Tracking option.
  • Full Log - Equivalent to the log option, but also records data for each URL request made.
    • If suppression is not selected, it generates a complete log (as defined in pre-R80 management).
    • If suppression is selected, it generates an extended log (as defined in pre-R80 management).
  • None - Do not generate a log.

You can add these options to a Log, Full Log, or Network Log:

  • Accounting - If selected, update the log every 10 minutes, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.
  • Suppression - If selected, one log is generated every three hours for all the connections.

 

SmartEvent Sizing Guide - R77.x

http://supportcontent.checkpoint.com/solutions?id=sk87263

Smart-1 R80.x Logging Capacity Performance Improvements

http://supportcontent.checkpoint.com/solutions?id=sk112797

0 Kudos
Reply
2 Replies
Matt_Ricketts
Employee
Employee
‎2019-03-13 12:55 PM

The doctor-log.sh script located at $RTDIR/scripts may be of assistance to you. It will analyze the logs and give you a brief output of your Current Logging and Daily Average Logging rates. It will also produce a detailed output at /tmp/sme-diag/results/detailed_diag_report.txt. Within the detailed output is the same logging rates as well as the Indexing Status and the logs based on the blade. There is a lot more data in the detailed log than what I show below. The Log Indexes total size is also within the report. Not shown here, but in my small environment I have about 11 GB of logs across 34 days. My daily average log file size is about 324 MB. From here I could do some math to determine what my log partition needs to be sized at based on what my retention time is.

Hopefully this helps you.

2019-03-13_125037.jpg

Reply
Garrett_Anderso
Advisor
‎2019-03-13 01:35 PM
In response to Matt_Ricketts

@Matt_Rickets --
I almost fell of my chair. this is very good immediate avenue to discuss with customer.
sincere thanks. -GA
0 Kudos
Reply