Configuring Logging

Creating a Multi-Domain Log Server with Domain Log Servers

This section shows you how to create a new Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. and its related Domain Log Servers.

Important - Before you start this procedure, make sure that you define the physical servers as the correct server type (Secondary Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. or Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs.) during installation. An incorrect definition can cause deployment failure.

To create a new Multi-Domain Log Server:

  1. If you did not do so, install a new Multi-Domain Log Server.

    Follow the procedures in the R81 Installation and Upgrade Guide.

    Make sure to define this server as a Multi-Domain Log Server in the First Time Configuration Wizard.

  2. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the primary Multi-Domain Server - the MDS context.

  3. From the left navigation panel, click Multi-Domain > Domains.

  4. From the top toolbar, click New > Multi-Domain Log Server.

  5. Enter a unique name for this Multi-Domain Log Server.

  6. Enter the IPv4 address or click Resolve IP to get the IP address from the DHCP Server.

  7. Click Connect to establish SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust.

    Enter the same Activation Key you entered during the First Time Configuration Wizard of the Multi-Domain Log Server.

  8. In the Platform section:

    • In the OS field, select Gaia

    • In the Version field, select the correct version

    • In the Hardware field, select the applicable option

  9. Click OK.

To create Domain Log Servers:

  1. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.

  2. From the left navigation panel, click Multi-Domain > Domains.

  3. In the Multi-Domain Log Server column, right-click the Domain Log Server cell for each Domain and click New Domain Server.

  4. Accept the default name or enter a different, unique name.

  5. Enter the IPv4 address or click Resolve IP to automatically assign the IPv4 address.

  6. Click OK.

    Wait for the cell to show the new Domain Log Server.

  7. Configure the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. in each Domain to the send its logs to the new Domain Log Server on the Multi-Domain Log Server (see Configuring Security Gateways to Send Logs to a Log Servers).

    The Domain Log Servers synchronize automatically.

The new Multi-Domain Log Server automatically synchronizes with all existing Multi-Domain Servers. The synchronization operation can take many minutes to complete, during which a notification indicator shows in the task information area.

Configuring Security Gateways to Send Logs to a Log Servers

Logs are not automatically forwarded to a Log Server. You must manually configure each relevant Security Gateway to send its logs to the new Domain Log Server.

To configure Domain Security Gateways to send logs to a Log Server:

  1. Connect to the applicable Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with SmartConsole, and then double-click the applicable Security Gateway.

  2. In the Logs section, select the new Log Server from the list.

    You can delete or ignore other Log Servers in the list as necessary.

  3. Click OK.

  4. Configure other log settings as applicable.

  5. Install Policy on the applicable Security Gateways.

  6. Install the database on the Log Servers.

Deleting a Domain Log Server

To delete a Domain Log Server in SmartConsole:

  1. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.

  2. From the left navigation panel, click Multi-Domain > Domains.

  3. In the Multi-Domain Log Server column, right-click the Domain Log Server and then select Delete.

Configuring Log Settings

Disk cleanup deletes the oldest log files when the available disk space is less than a specified value. Disk cleanup settings are controlled at the Multi-Domain Server level and apply to all Domains and Domain Management ServersClosed Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.. Disk cleanup settings configured at the Domain Management Server level are ignored.

These other log management activities, when configured on a Multi-Domain Server, apply only to that Multi-Domain Server:

  • Run script before cleanup

  • Alerts

  • Stop logging

  • Create new log file

Configure these activities individually for each Domain Management Server and Log Server.

To configure log settings for a Multi-Domain Server:

  1. In SmartConsole, go to Multi-Domain > Domains.

  2. Double-click the applicable Multi-Domain Server.

  3. Click Log Settings.

  4. In the General view, configure these settings:

    • Cleanup when free disk space is below - Start the disk cleanup procedure when available disk space is less than the specified quantity. Select to enable (default) or clear to disable. Enter the minimum disk space and unit of measure (Default = 5 GB).

      This parameter applies to the Multi-Domain Server and its Domain Management Servers.

    • Run the following script before cleanup - Enter a predefined script to run before the cleanup starts.

    • Send Alert when free disk space is below - Send an alert when available disk space is less that the specified quantity. Select to enable (default). Clear to disable.

      Enter the minimum disk space and unit of measure (Default = 3 GB).

  5. In the Advanced view, configure these settings:

    • Accept Syslog messages - Include syslog messages in the log files.

    • Stop Logging - Stop all logging activity when the available disk space is less than the specified quantity.

      Enter the minimum disk space and unit of measure (Default = 100 MB).

    • Create a new log file - Close and save the active log file when the active log file is larger than the specified size. The log file has an extension that is a sequential number. You can move these saved log files to external storage or export them to an external database.

      Enter the maximum log file size. (Default = 1 GB).