CPLogInvestigator

Description

This heuristic tool can analyze the specified logs files from managed Security Gateways and show:

Important - You can run this command only in the Expert mode.

Syntax

CPLogInvestigator

      [-h]

      [-d]

      [-a]

      [{-i /<Path>/<Name of Log File> | -f <Path to Directory>}]

      [-l]

      [-m]

      [-p]

      [-u <Number of Users>]

Parameters

Parameter

Description

-h

Shows the built-in help.

No Parameters

Analyzes the events in all the $FWDIR/log/*.log files (the activeClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. log and the rotated logs).

The default analysis duration for each log file is 60 seconds.

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

This option "-d" is not supported (ignored) when specified together with the option "-p".

-a

Analyzes the events in all the "*.log" files - the active log and the rotated logs.

The default path is $FWDIR/log/.

The default analysis duration is 60 seconds.

If the number of log files is large, and the log files are large, then the analysis can take significant time.

-f <Path to Directory>

Analyzes the events in all the "*.log" files in the specified directory.

This parameter must the last parameter in the syntax.

-i /<Path>/<Name of Log File>

Analyzes the events in the specified log file.

This parameter must the last parameter in the syntax.

-l

Limits the duration of the analysis to 60 seconds.

-m

Saves the number of logs for each minute of analyzes log files in the output file called "logPerMinute.txt" in the current working directory.

-p

Shows the daily estimated number of logs from each Software Blade that generated these logs.

-u <Number of Users>

Specifies the number of required users to show estimations for events from the Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. and the URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. Software Blades.

Examples

[Expert@Mgmt:0]# CPLogInvestigator

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log from log 0

..
Reading log file is DONE.

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-11_000000.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-11_000000.log from log 0

..
Reading log file is DONE.


Total scanned 10846112 logs out of 28070147 logs in file
Scanned logs dates are from 29-01-2025 00:00:00 to 11-04-2025 19:48:14
Observed blades:
     - Application Control
     - IPS
     - N/A
     - VPN-1 & FireWall-1

========================================

Summary - Estimations based on findings:

Log file size per day: 1.7815GB (149018 logs)

Estimated events per day:
- Estimated events per day based on active blades: 1

Storage required per day:
- SmartEvent: 0.0000GB
- Log Server: 1.7815GB
- Log Server + SmartLog: 3.5629GB

==============================================================
[Expert@Mgmt:0]#
 
[Expert@Mgmt:0]# CPLogInvestigator -p -i $FWDIR/log/fw.log


Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log from log 0

..
Reading log file is DONE.


Total scanned 10459 logs out of 10459 logs in file
Scanned logs dates are from 11-04-2025 00:00:01 to 11-04-2025 19:56:40

========================================
Product log statistics (Per Day):
Days of counting:       0.831007
Product name:   Application Control         Amount of logs:     1               Average:        1
Product name:   N/A                         Amount of logs:     3               Average:        3
Product name:   Security Gateway/Management Amount of logs:     20              Average:        24
Product name:   SmartConsole                Amount of logs:     1               Average:        1
Product name:   SmartEvent Client           Amount of logs:     2               Average:        2
Product name:   System Monitor              Amount of logs:     6               Average:        7
Product name:   VPN-1 & FireWall-1          Amount of logs:     10426           Average:        12546


Total logs per day:

    Date     |   GB   |   Count

==============================================================
[Expert@Mgmt:0]#
 
[Expert@Mgmt:0]# CPLogInvestigator -a -p

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log from log 0

..
Reading log file is DONE.


Total scanned 10530 logs out of 10530 logs in file
Scanned logs dates are from 11-04-2025 00:00:01 to 11-04-2025 19:57:28

========================================
Product log statistics (Per Day):
Days of counting:       0.831562
Product name:   Application Control         Amount of logs:     1               Average:        1
Product name:   N/A                         Amount of logs:     3               Average:        3
Product name:   Security Gateway/Management Amount of logs:     20              Average:        24
Product name:   SmartConsole                Amount of logs:     1               Average:        1
Product name:   SmartEvent Client           Amount of logs:     2               Average:        2
Product name:   System Monitor              Amount of logs:     6               Average:        7
Product name:   VPN-1 & FireWall-1          Amount of logs:     10497           Average:        12623


Total logs per day:

    Date     |   GB   |   Count
  2025-01-14 | 0.0000 | 174
... (truncated for brevity) ...
  2025-01-23 | 0.3787 | 11959308
... (truncated for brevity) ...
  2025-04-11 | 0.0007 | 18448
  fw.log | 0.0009 | 21060

==============================================================
[Expert@Mgmt:0]#
 
[Expert@Mgmt:0]# CPLogInvestigator -m -a -p

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log from log 0

..
Reading log file is DONE.


Total scanned 15098 logs out of 15098 logs in file
Scanned logs dates are from 11-04-2025 00:00:01 to 11-04-2025 20:59:41

========================================
Product log statistics (Per Day):
Days of counting:       0.874769
Product name:   Application Control         Amount of logs:     1               Average:        1
Product name:   N/A                         Amount of logs:     3               Average:        3
Product name:   Security Gateway/Management Amount of logs:     22              Average:        25
Product name:   SmartConsole                Amount of logs:     1               Average:        1
Product name:   SmartEvent Client           Amount of logs:     2               Average:        2
Product name:   System Monitor              Amount of logs:     6               Average:        6
Product name:   VPN-1 & FireWall-1          Amount of logs:     15063           Average:        17219


Total logs per day:

    Date     |   GB   |   Count
  2025-04-10 | 0.0007 | 18368
  2025-04-11 | 0.0007 | 18448
  fw.log | 0.0014 | 30196

==============================================================
Logs per minute table can be found at logPerMinute.txt

==============================================================
[Expert@Mgmt:0]#
[Expert@Mgmt:0]# wc -l logPerMinute.txt
1253 logPerMinute.txt
[Expert@Mgmt:0]#
[Expert@Mgmt:0]# head -n 10 logPerMinute.txt
Rounded log time: 11-04-2025 20:59;     Log count: 48
Rounded log time: 11-04-2025 20:58;     Log count: 73
Rounded log time: 11-04-2025 20:57;     Log count: 70
Rounded log time: 11-04-2025 20:56;     Log count: 76
Rounded log time: 11-04-2025 20:55;     Log count: 70
Rounded log time: 11-04-2025 20:54;     Log count: 74
Rounded log time: 11-04-2025 20:53;     Log count: 76
Rounded log time: 11-04-2025 20:52;     Log count: 78
Rounded log time: 11-04-2025 20:51;     Log count: 70
Rounded log time: 11-04-2025 20:50;     Log count: 76
[Expert@Mgmt:0]#
 
[Expert@Mgmt:0]# CPLogInvestigator -l -a -u 1000

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/fw.log from log 0

..
Reading log file is DONE.

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-11_000000.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-11_000000.log from log 0

..
Reading log file is DONE.

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-10_000000.log

Start reading log file: /opt/CPsuite-R81.20/fw1/log/2025-04-10_000000.log from log 0

..
Reading log file is DONE.


Total scanned 36245 logs out of 36245 logs in file
Scanned logs dates are from 09-04-2025 00:00:02 to 11-04-2025 21:37:49
Observed blades:
     - Application Control
     - N/A
     - VPN-1 & FireWall-1

========================================

Summary - Estimations based on findings:

Log file size per day: 0.0032GB (12492 logs)

Estimated events per day:
- Estimated events per day based on active blades: 0
- Activated blades + Application Control and URL Filtering for 1000 users: 250000

Storage required per day:
- SmartEvent: 1GB
- Log Server: 0.0032GB
- Log Server + SmartLog: 0.0064GB


==============================================================
[Expert@Mgmt:0]#