Print Download Complete help as Archive Send Feedback

Previous

Next

Understanding Logging

Security Gateways generate logs, and the Security Management Server generates audit logs, which are a record of actions taken by administrators. The Security Policy that is installed on each Security Gateway determines which rules generate logs.

Logs can be stored on a:

Note - Logs can be automatically forwarded to the Security Management Server or Log Server, according to a schedule, or manually imported with the Remote File Management operation via CLI (fw fetchlogs). The management servers and log servers can also forward logs to other servers.

To find out how much storage is necessary for logging, see the new appliance datasheet.

A Log Server handles log management activities:

Note - On Multi-Domain Servers, the Log and Index storage maintenance is only controlled via the MDS level GUI object centrally, and not on the domain level. Currently, index daily deletion is not supported.

Log storage

In SmartConsole, open the Security Gateway or Check Point host for editing, and open Logs > Storage.

Configure these fields:

This option is for Gateways only

These options and examples are for a Security Management Server, SmartEvent Server, or Log Server:

Examples:

These examples show how these options work together

For these examples, the administrator enables these thresholds:

Example 1:

The server has 3000 MBytes of free disk space, and 5 days of logs and index files.

The server deletes logs and index files, one day at a time, until there is 5000 Mbytes of free disk space.

Example 2:

The server has 10 GBytes of free disk space and 30 days of logs and index files.

The server deletes all index files older than 14 days. No change in logs.

Example 3:

The server has 20 days of index files and 30 days of logs (15GB free).

The server deletes index files, one day at a time, in this order:

  1. Deletes index files older than 14 days. No change in logs.
  2. Deletes logs until the disk space threshold is reached.
  3. Deletes logs and index files until the disk space threshold is reached.

Example 4:

A server produces 1.5GB of logs and 1.5GB of index files each day. The server now has 35 days of logs and 30 days of index files and only 3GB of free disk space left. The configured disk space threshold is 5GB, which means the server is now 2GB below the threshold. The index file threshold is 14 days.

Once the disk space threshold (5GB) is reached, disk space maintenance deletes logs and index data until there is again more than 5GB of free space. In this example:

  1. Logs from day one are deleted first. Two days of the oldest logs are deleted to clear 3GB of logs and leave 6GB of free space on the drive, 1GB above the threshold, leaving the server with 33 log days and 30 index days.
  2. The server still has more than 14 days of index files - an extra 16 days. At midnight, the extra index files are deleted until only the current day’s index plus the last 14 remain. The deletion of 16 index files frees up 24GB of space. The deletion of two days of logs left 6GB of free space. 30GB of space is now free.

If the disk space threshold is again reached, the disk maintenance process repeats.

In a Multi-Domain environment

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Management Server. The Multi-Domain Server generates logs, and they can be stored on the Multi-Domain Server. To learn how to deploy logging in a Multi-Domain Security Management environment, see the R80.30 Multi-Domain Security Management Administration Guide.

To learn how to monitor the Log Receive Rate on the Security Management Server / Log Server in R80 and higher, see sk120341.

To decrease the load on the Security Management Server, you can install a dedicated Log Server and configure the gateways to send their logs to this Log Server. To see the logs from all the Log Servers, connect to the Security Management Server with SmartConsole, and go to the Logs & Monitor view Logs tab.