Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
asdfn
Explorer

Smart-1 Console - Forward to SIEM Log Size Provision

Hi all,

 

I am using the "Forward to SIEM" feature from Smart-1 Cloud console to the SIEM. Before establishing the connection, I checked the Daily logs in Smart-1 Cloud console under Settings -> General, which should be around 15GB daily. However, once I established the connection, the log size was higher than expected. It generated around 2GB of logs in just 5 minutes of connection.

I'd like to know if the Smart-1 Console sends stored logs like past 1- or 2-days logs when the Forward to SIEM feature is successfully connected?

Thank you for any assistance

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

On the management server (also relevant for Smart-1 Cloud), new log files are created every 24 hours at a fixed time as well as anytime the current log file gets to 2GB.
Log Exporter (which Smart-1 Cloud uses) only works with the current log file.
Therefore, it seems reasonable that we'd send the contents of the current log file once activated, meaning you'll get data from up to the last 24 hours.

0 Kudos
asdfn
Explorer

Thank you for your clarification. I was trying to validate whether the ingested logs cover the past 24 hours.

Therefore, i am following the article below to map the fields on the ingested logs. Could you please tell me which field I should look at to validate when the ingested log was generated?

https://support.checkpoint.com/results/sk/sk144192

Also, could you please inform me where I can check the current log file size and if there's a maximum storage limit on the management server for the past 24 hours' logs? With six firewalls connected, I'm concerned there might not be enough space to store all their logs for a full day. I'd like to measure the current retention capacity of the management server. 

 

Thanks for your assistance

0 Kudos
PhoneBoy
Admin
Admin

I assume the "time" field would be what you'd use to determine when the log was generated.

With Smart-1 Cloud, the space available depends on what SKUs you've purchased.
For example, the SKU CPSM-CLOUD-5-GW allows for managing 5 gateways and up to 5GB of daily logs, whereas CPSM-CLOUD-5-GW-SME allows for 15GB of daily logs and adds SmartEvent.
Additional SKUs (e.g. to manage additional gateways) will add to these numbers.
You'll have to check with TAC to confirm where you are with respect to these limits.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events