Understanding Logging

Security Gateways / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members generate network logs, and the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. generates audit logs, which are a record of actions taken by administrators. The Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. that is installed on each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster determines which rules generate logs.

Logs can be stored on a:

Note - Logs can be automatically forwarded to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Log Server, according to a schedule, or manually imported with the Remote File Management operation via CLI (with the "fw fetchlogs" command). The management servers and log servers can also forward logs to other servers.

To find out how much storage is necessary for logging, see the R81.10 Release Notes.

A Log Server handles log management activities:

An administrator can configure Backup Log Servers:

  • If all Primary Log Servers are disconnected, the Security Gateway / Cluster starts to send logs only to the first configured Backup Log Server.

  • If the first Backup Log Server is also disconnected, the Security Gateway / Cluster sends logs to the second configured Backup Log Server, and so on.

Dedicated Log Servers and Domain Dedicated Log Servers

To decrease the load on the Management Server, you can install a dedicated Log Server and configure the Security Gateways to send their logs to this Log Server.

To see the logs from all Log Servers, connect to the Management Server with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., and go to the Logs & Monitor view > Logs tab.

See:

Dynamic Log Distribution

In R81 and lower versions, each Log Server received a copy of every log. If one Log Server was disconnected, the Security Gateway / Cluster connected to the backup Log Server and sent it a copy of every log.

Starting in R81.10, with Dynamic Log Distribution, you can configure the Security Gateway / Cluster to distribute its logs between the active Log Servers.

If all the primary Log Servers are disconnected, logs are distributed between backup Log Servers.

If no Log Servers are connected, the Security Gateway / Cluster writes the logs locally.

Use Case - Log distribution reduces:

  • The high utilization of resources on the Log Servers.

  • The log traffic on each network that connects the Security Gateway / Cluster to its Log Server.

Log Storage

SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. and Log Server use an optimization algorithm to manage disk space and other system resources. When the Logs and Events database becomes too large, the server automatically deletes the oldest logs and events based on the configured thresholds.

Daily Logs Retention

In R80.40 and higher, daily logs retention refers to how long logs are stored before they are deleted. Configure this value to help you manage free disk space.

The Management Server does not delete audit log files, even in a case of emergency disk space maintenance, regardless of the configured log retention value. You cannot configure the daily retention for the Management Server audit logs.

The Management Server does not delete audit indexes as part of daily maintenance regardless of the value configured in SmartConsole. The Management Server deletes audit log indexes (not the log files) only in a disk space emergency. In a Multi-Domain environment, you can change this behavior only for the Global SmartEvent Server in the log_maintenance_domain_conf.csv file (see the corresponding section below).

Note - The server deletes old logs daily at midnight.

Important - The server can apply the "Daily Logs Retention Configuration" only when "When disk space is below <number> Mbytes, start deleting old files" is enabled. To control this behavior, see sk176803.

You can configure log retention policy on different servers:

Log Receive Rate

To learn how to monitor the Log Receive Rate on the Management Server / Log Server, see sk120341.