Tomer Sole

Does Check Point delete audit log history?

Discussion created by Tomer Sole Expert on Aug 12, 2018
Latest reply on Aug 12, 2018 by Kaspars Zibarts

In R80.10, there are 2 sources for change history:

 

1. Dynamic revisions at the Security Management Server. This allows us to present:

- All changes at the Manage & Settings-->Revisions view in SmartConsole

- REST API for show-changes

 These changes are kept forever, unless the user manually purges them. They are lightweight and are based on the delta difference. Users could use the Security Management API or the Gaia operating system revisions as a way to forward history to external storage.

 

2. Audit logs at the Log Management Server. This allows us to present:

- List of changes in the bottom pane of a selected revision in SmartConsole

- Graphs, overviews and reports of changes in SmartView

These changes are kept according to your Log Retention Policy. Notice that there are 2 retention metrics: deleting indexes of older audit logs (which makes searches for audit logs slow), and deleting of the actual log files (which makes audit logs go away). By default, Check Point only deletes audit log files (and also traffic log files) when the disk space is below a very small threshold as defined in the Log Retention Policy. There are options to forward logs to external storage at the Additional Settings for Log Management Servers.

 

To summarize: There are two sources to retrieve change history for security management. In SmartConsole we use each source in the way that utilizes it best. However, you could create your own change reports based on the show-changes API. The retention rules are different between the two engines.

Outcomes