Understanding Logging

Security Gateways generate logs, and the Security Management Server generates audit logs, which are a record of actions taken by administrators. The Security Policy that is installed on each Security Gateway determines which rules generate logs.

Logs can be stored on a:

Security Management Server that collects logs from the Security Gateways. This is the default.
Log Server on a dedicated machine. This is recommended for organizations that generate a lot of logs.
Security Gateway. This is called local logging.

Note - Logs can be automatically forwarded to the Security Management Server or Log Server, according to a schedule, or manually imported with the Remote File Management operation via CLI (fw fetchlogs). The management servers and log servers can also forward logs to other servers.

To find out how much storage is necessary for logging, see the new appliance datasheet.

A Log Server handles log management activities:

Automatically starts a new log file when the existing log file gets to the defined maximum size.
Stores log files for export and import.
Makes an index of the logs to enable faster responses to log queries.

Note - On Multi-Domain Servers, the Log and Index storage maintenance is only controlled via the MDS level GUI object centrally, and not on the domain level. Currently, index daily deletion is not supported.

Log storage

In SmartConsole, open the Security Gateway or Check Point host for editing, and open Logs > Storage.

Configure these fields:

Measure free disk space in - Choose MBytes or Percentage.
When disk space is below <number> Mbytes, issue alert - Get an alert when the available disk space for logs and log index files is below this threshold. This value must be at least 5 MB greater than the value of ...stop logging in the Additional logging options page.
When disk space is below <number> Mbytes, start deleting old files - Delete the oldest logs and log index files when the available disk space is below this threshold. This value must be at least 5 MB greater than the ...issue alert value.
Run the following script before deleting old files - Enter a path to the script.

This option is for Gateways only

Reserve ... for packet capturing - Some types of logs can also capture the packets that created the log event. Set the amount, in MBytes or Percent, that you want to use for captured packets.

These options and examples are for a Security Management Server, SmartEvent Server, or Log Server:

Index Files - Configure when the server automatically deletes old index files:
- Delete index files older than <number> Days - The server automatically deletes index files that are older than a specified number of days. Specify the number of days. The index files are deleted even if there is enough disk space for them.

Examples:

These examples show how these options work together

When disk space is below <number> Mbytes, start deleting old files - The available space in the logs partition is checked every 1 minute. Once the threshold is reached, the log disk maintenance occurs: deleting the oldest day of log and index data and repeating until reaching above configured threshold.
Delete index files older than <number> Days - Occurs daily at midnight. Deleting oldest index files by days, leaving today + the configured no. of index days (14 = 14 days + today).

For these examples, the administrator enables these thresholds:

When disk space is below [5000] Mbytes, start deleting old files
Delete index files older that [14] Days

Example 1:

The server has 3000 MBytes of free disk space, and 5 days of logs and index files.

The server deletes logs and index files, one day at a time, until there is 5000 Mbytes of free disk space.

Example 2:

The server has 10 GBytes of free disk space and 30 days of logs and index files.

The server deletes all index files older than 14 days. No change in logs.

Example 3:

The server has 20 days of index files and 30 days of logs (15GB free).

The server deletes index files, one day at a time, in this order:

Deletes index files older than 14 days. No change in logs.
Deletes logs until the disk space threshold is reached.
Deletes logs and index files until the disk space threshold is reached.

Example 4:

A server produces 1.5GB of logs and 1.5GB of index files each day. The server now has 35 days of logs and 30 days of index files and only 3GB of free disk space left. The configured disk space threshold is 5GB, which means the server is now 2GB below the threshold. The index file threshold is 14 days.

Once the disk space threshold (5GB) is reached, disk space maintenance deletes logs and index data until there is again more than 5GB of free space. In this example:

Logs from day one are deleted first. Two days of the oldest logs are deleted to clear 3GB of logs and leave 6GB of free space on the drive, 1GB above the threshold, leaving the server with 33 log days and 30 index days.
The server still has more than 14 days of index files - an extra 16 days. At midnight, the extra index files are deleted until only the current day’s index plus the last 14 remain. The deletion of 16 index files frees up 24GB of space. The deletion of two days of logs left 6GB of free space. 30GB of space is now free.

If the disk space threshold is again reached, the disk maintenance process repeats.

In a Multi-Domain environment

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Management Server. The Multi-Domain Server generates logs, and they can be stored on the Multi-Domain Server. To learn how to deploy logging in a Multi-Domain Security Management environment, see the R80.30 Multi-Domain Security Management Administration Guide.

To learn how to monitor the Log Receive Rate on the Security Management Server / Log Server in R80 and higher, see sk120341.

To decrease the load on the Security Management Server, you can install a dedicated Log Server and configure the gateways to send their logs to this Log Server. To see the logs from all the Log Servers, connect to the Security Management Server with SmartConsole, and go to the Logs & Monitor view Logs tab.