Deploying Logging

You can enable logging on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. (enabled by default), or deploy a dedicated Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs..

After you deploy the Log Server, you must configure the Security Gateways for logging.

You must execute the Install Database function on the remote Log Server when you:

Enabling Logging on the Security Management Server

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. Edit the network object of the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  3. In the General Properties page, on the the Management tab, enable Logging & Status.

  4. Click OK

  5. Publish the SmartConsole session.

Deploying a Dedicated Log Server

To deploy a dedicated Log Server, you must install it, and then connect it to the Security Management Server.

Notes:

For details, see the R81 Installation and Upgrade Guide.

Configuring the Security Gateways for Logging

To configure a Security Gateway for logging:

  1. Open SmartConsole.

  2. In the Gateways & Servers view, double-click the Security Gateway object.

  3. From the navigation tree, click Logs.

  4. Configure where to send logs:

    • To save logs to the Security Management Server - Select Send gateway logs to server.

    • To save logs to a dedicated Log Server - Select the Log Server from the list.

    • To save logs locally - Select Save logs locally, on this server.

  5. Click OK.

  6. Publish the SmartConsole session.

  7. Install a policy on the Security Gateway.

Enabling Log Indexing

Log indexing on the Security Management Server or Log Server reduces the time it takes to run a query on the logs. Log indexing is enabled by default.

In a standaloneClosed Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. deployment, log indexing is disabled by default. Enable log indexing only if the standalone server CPU has 4 or more cores.

To manually enable Log Indexing:

  1. Open SmartConsole.

  2. From the Gateways & Servers view, double-click the Security Management Server or Log Server object.

    The General Properties window opens.

  3. In the Management tab, select Logging & Status.

  4. From the navigation tree, click Logs.

  5. Select Enable Log Indexing.

  6. Click OK.

  7. Publish the SmartConsole session.

  8. From Menu, select Install Database > select all objects > click Install.

Disabling Log Indexing

To save disk storage space, a Log Server can be configured to work in non-index mode. If you disable log indexing, queries will take longer.

When log indexing is disabled, you must connect with SmartConsole to each Log Server separately to query its logs. When you connect to the Management Server you do not get a unified view of all logs, as in index mode. On each Log Server, the search is done on one log file at a time.

To disable Log Indexing:

  1. Open SmartConsole.

  2. From the Gateways & Servers view, double-click the Security Management Server or Log Server object.

  3. From the navigation tree, click Logs.

  4. Clear the Enable Log Indexing option.

  5. Click OK.

  6. Publish the SmartConsole session.

  7. From Menu, select Install Database > select all objects > click Install.

To select a log file to search:

  1. Open Logs & Monitor > Logs view.

  2. Click the Options menu button to the right of the search bar.

  3. Select File > Open Log File.