Messages with /var/log

Olusegun_Adekun · ‎2023-12-05

Hi All,

Can the messages file be removed/deleted from /var/log without any consequences.

Trying to upgrade Firewall from R81.10 to R81.20 and the /var/log partition is 90% full.

I could also see a lot of .elg files within $FWDIR/log. Can this also be removed/deleted without any consequences?

Thanks Always

Kind Regards,

Olu

Tal_Paz-Fridman · ‎2023-12-05

1| Check if you have crash of dump files which usually take a lot of space:

/var/log/crash/

/var/log/dump/usermode/

2| As for elg files you can usually delete the ones with a number a the end, for example:

cpm.elg.1
cpm.elg.10
cpm.elg.11
cpm.elg.12
cpm.elg.13
cpm.elg.14
cpm.elg.15
cpm.elg.2
cpm.elg.3
cpm.elg.4
cpm.elg.5
cpm.elg.6
cpm.elg.7
cpm.elg.8
cpm.elg.9

(but it means that debug information will be lost if needed)

3| Please also look at log retention and cleanup settings on the object (in SmartConsole)

Olusegun_Adekun · ‎2023-12-05

Hi Tal,

Thanks for you swift response.

The var/log/crash is actually fast empty only 4.0k

Can I delete the messages with numbers as well.

messages.1

messages.2

etc

Regards,

Olu

Tal_Paz-Fridman · ‎2023-12-05

Yes but I do not think they will save you that much space.

Perhaps you could increase disk space or change partitions?

https://support.checkpoint.com/results/sk/sk95566

Olusegun_Adekun · ‎2023-12-05

Thanks. Appreciate.

Bob_Zimmerman · ‎2023-12-05

I agree with Tal, it is extremely unlikely deleting /var/log/messages files and elg files will free much space. Even with extreme levels of logging, those files collectively should never take up even a whole gigabyte.

Instead, look in $FWDIR/log at firewall logs. This is the common set of files per day of log data:

2023-11-25_000000.adtlog
2023-11-25_000000.adtlogaccount_ptr
2023-11-25_000000.adtloginitial_ptr
2023-11-25_000000.adtlogptr
2023-11-25_000000.log
2023-11-25_000000.logaccount_ptr
2023-11-25_000000.loginitial_ptr
2023-11-25_000000.logptr

They may be rotated multiple times per day, depending on your traffic log volume. For example, they automatically rotate when the traffic log hits 2 GB. I have one environment which gets over 40 GB of log data per day, so the files rotate a lot.

After traffic logs, the next big items are core dumps as Tal mentioned, then CPUSE packages (check 'installer delete' in clish to see what packages you can delete. Backups saved to /var/log/CPbackup and snapshots exported to /var/log/CPsnapshot also take up a lot of space. Note that snapshots you don't export don't take up any space in the filesystem (they are stored in unallocated space in the drive).

the_rock · ‎2023-12-05

Please send output of below...it will show any files in /var/log bigger than 500M

Andy

from expert mode -> find /var/log -size 500M

Also, make sure fw is NOT logging local by doing this:

watch -d ls -lh $FWDIR/log/fw.log

Output should always show 8.2K, which is default fw size for this file, as logs would always be sent to the mgmt server (unless its standalone box, which literally no one I know uses)

Best regards,

Andy

From my lab:

[Expert@CP-gw:0]# cd $FWDIR/log
[Expert@CP-gw:0]# ls -lh fw.
fw.adtlog fw.adtlogaccount_ptr fw.adtlogptr fw.logaccount_ptr fw.logptr
fw.adtlogLuuidDB fw.adtloginitial_ptr fw.log fw.loginitial_ptr fw.logtrack
[Expert@CP-gw:0]# ls -lh fw.log
-rw-rw---- 1 admin root 8.2K Nov 28 00:00 fw.log
[Expert@CP-gw:0]#

Are you a member of CheckMates?

Messages with /var/log