Importing Offline Log Files

SmartEvent lets you examine logs from previously generated log files, allowing you to investigate security threats and pattern anomalies that occurred before SmartEvent was installed. For example: unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity.

You can review logs from a specific past time frame, identify missed threats, and process newly discovered events.

Step 1: Adjust Log Indexing Settings

By default, SmartEvent indexes offline logs from the last 1 day. To import and analyze logs from earlier dates, update the log indexing settings.

To change log indexing settings:

1. Stop the SmartEvent services.

   On the SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database., run: # evstop

2. Set the number of days to index.

   On the SmartEvent Server, run:

   $INDEXERDIR/log_indexer -days_to_index <days> -workingDir $INDEXERDIR/

   Replace <days> with the number of previous days you want the SmartEvent Server to index. For example: to import and index logs from the last 30 days, enter the number 30.

   Note - Only index as many days as needed to minimize performance impact.

3. Configure log retention in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

   In SmartConsole > Gateways & Servers view:

   1. Open the SmartEvent Server object.

   2. In the left navigation panel, go to Logs > Storage > Daily Logs Retention Configuration.

   3. Make sure that Keep indexed logs for no longer than [14] days is not selected, or set it to a value equal or higher than the number of days configured in days_to_index.

4. Restart SmartEvent services.

   On the SmartEvent Server, run: # evstart

Step 2: Copy Log Files

Copy the log files and related pointer files <log file name>.log* to the $FWDIR/log directory on the Log Server Dedicated Check Point server that runs Check Point software to store and process logs. that sends logs to the SmartEvent Server.

Step 3: Add Offline Logs to the SmartEvent Correlation Unit

1. In SmartConsole, go to the Logs & Events view, and click the + sign to open a New tab.

2. At the bottom left corner, go to External Apps, and select SmartEvent Settings & Policy.

3. In the SmartEvent GUI client that opens, go to the Event policy tab > General Settings > Initial Settings > Offline Jobs.

4. To add an offline job, click Add.

   The Add Offline job window opens.

5. Enter this information:

   • Name - Identifier for the offline log file.

   • Comment - Description of the offline job.

   • Offline Job Parameters:

     • SmartEvent Correlation Unit - The Correlation Unit that reads and processes the offline logs.

     • Log Server - The Log Server that contains the offline log files. SmartEvent queries this Log Server to find the available log files.

     • Log File - Select the log file to import.

6. Click Save.

To run offline jobs for multiple log files, see sk98894.

Additional options in the Offline Jobs page:

• Edit - Modify the parameters of an existing offline job.

• Remove - Delete an offline job.

• Start - Import the offline log file to the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events..

• Stop - Stop the import of the offline log file. This does not delete the job, but stops it at its current point.

After the Import

The SmartEvent Correlation Unit processes and analyzes the logs based on the configured Event policy. To view the analysis results, go to SmartConsole > Logs & Events tab, and select the relevant view or report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. from the catalog or create a customized view or report. For more information, see Views and Reports.