fw fetchlogs

Description

Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files ($FWDIR/log/*.adtlog*) from the specified Check Point server.

Important - You can run this command in the Expert mode or in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish on Scalable Platforms).

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-f <Name of Log File N>

Specifies the name of the log file to fetch. Need to specify name only.

Notes:

If you do not specify the log file name explicitly, the command transfers all Security log files ($FWDIR/log/*.log*) and all Audit log files ($FWDIR/log/*.adtlog*).
The specified log file name can include wildcards * and ? (for example, 2017-0?-*.log).

If you enter a wildcard, you must enclose it in double quotes or single quotes.
You can specify multiple log files in one command.

You must use the -f parameter for each log file name pattern.
This command also transfers the applicable log pointer files.

<Target>

Specifies the remote Check Point server, with which this local Check Point server has established SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust.

Notes:

The local and the remote servers must have established SIC trust.
The local server can be a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., a Log Server Dedicated Check Point server that runs Check Point software to store and process logs., a Cluster Member Security Gateway that is part of a cluster..
The remote server can be a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member, a Log Server, or a Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. in High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. deployment.
You can specify the remote managed server by its main IP address or Object Name as configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Notes:

This command moves the specified log files from the $FWDIR/log/ directory on the specified Check Point server.

Meaning, it deletes the specified log files on the specified Check Point server after it copies them successfully.
This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point server, on which you run this command.

This command cannot fetch the active log files $FWDIR/log/fw.log or $FWDIR/log/fw.adtlog.

To fetch these active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. log files:

Perform the log switch on the applicable Check Point server:

See fw logswitch.

fw logswitch [-audit] [-h <IP Address or Hostname>]

Fetch the rotated log file from the applicable Check Point server:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

This command renames the log files it fetched from the specified Check Point server.

The new log file name is the concatenation of these:
- The Check Point server's name (as configured in SmartConsole).
- Two underscore (_) characters.
- The original log file name
Example: MyGW__2019-06-01_000000.log

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

     Size Log file name

        23KB 2019-05-16_000000.log

         9KB 2019-05-17_000000.log

        11KB 2019-05-18_000000.log

      5796KB 2019-06-01_000000.log

      4610KB fw.log

[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...

File MyGW__2019-06-01_000000.log was fetched successfully

[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*

/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.log

/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr

/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr

/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.logptr

[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

     Size Log file name

        23KB 2019-05-16_000000.log

         9KB 2019-05-17_000000.log

        11KB 2019-05-18_000000.log

      4610KB fw.log

[Expert@HostName:0]#