Support Center > Search Results > SecureKnowledge Details
How to calculate/count the total amount of FireWall Logs per second that arrive to Security Management Server
Solution

Follow these steps to calculate/count the total amount of all FireWall Logs per second that arrive to this Security Management Server from all its managed Security Gateways:

  1. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server (over SSH, or console).

  2. Log in to the Expert mode.

  3. On Multi-Domain Management Server, switch to the context of the relevant Domain Management Server:

    [Expert@HostName]# mdsenv <Name or IP of Domain Management Server>
  4. Go to the Log directory:

    [Expert@HostName]# cd $FWDIR/log
  5. Check by how much the size of the Log Pointer File fw.logptr grows during some specific time
    (the time should be high enough to accumulate enough logs - e.g., 120 sec, 180 sec, etc):

    [Expert@HostName]# ls -l fw.logptr ; sleep SLEEP_TIME ; ls -l fw.logptr
  6. Calculate the log rate per this formula:

    RATE = ( SIZE_AFTER - SIZE_BEFORE ) / ( 4 * SLEEP_TIME )

    Explanation:

    The Log Pointer File $FWDIR/log/fw.logptr contains a 4-byte entry for each log saved in the Log File $FWDIR/log/fw.log.
    The multiplier 4 is the size of each entry (pointer size) in the fw.logptr file.
    Meaning, if we have 1 log in the fw.log file, then the size of the Pointer Log File will be 4 bytes;
    if we have 2 logs in the fw.logptr file, then the size of the Pointer Log File will be 8 bytes, and so on.

    Use these three commands to automate the calculations:

    [Expert@HostName]# SLEEP_TIME=number_of_seconds

    [Expert@HostName]# SIZE_BEFORE=$(ls -l fw.logptr | awk '{print $5}') ; sleep $SLEEP_TIME ; SIZE_AFTER=$(ls -l fw.logptr | awk '{print $5}')

    [Expert@HostName]# echo "scale=3 ; ($SIZE_AFTER - $SIZE_BEFORE) / ( 4 * $SLEEP_TIME )" | bc

    Notes:

    • Relevant manual pages:
    • If the log rate value has to be used in a shell script, then use this syntax:
      [Expert@HostName]# RATE=$(echo "scale=3 ; ($SIZE_AFTER - $SIZE_BEFORE) / ( 4 * $SLEEP_TIME )" | bc)

    • If the log rate value has to be collected in the loop from all Domain Management Servers on a Multi-Domain Server, then use these commands in the shell script:

      Note: There must be an additional empty line after the last line "exit 0".

      #!/bin/sh
      # Print log rate data on all Domains
      
      # execute the script that defines Check Point environment variables
      source /opt/CPshared/5.0/tmp/.CPprofile.sh
      
      SLEEP_TIME=desired_number_of_seconds
      
      echo "Started at $(/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss)"
      
      for DOMAIN in $(ls -1 $MDSDIR/customers)
      	do
      		mdsenv "$DOMAIN"
      		mcd log
      		SIZE_BEFORE=$(ls -l fw.logptr | awk '{print $5}')
      		sleep $SLEEP_TIME
      		SIZE_AFTER=$(ls -l fw.logptr | awk '{print $5}')
      		echo -n "- rate on "$DOMAIN" during "$SLEEP_TIME" seconds: "
      		echo "scale=3 ; ($SIZE_AFTER - $SIZE_BEFORE) / ( 4 * $SLEEP_TIME )" | bc
      		echo " "
      	done
      
      echo "Finished at $(/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss)"
      
      exit 0
       
      

Related solution: sk120341 - How to monitor the Log Receive Rate on Management Server / Log Server R80 and above

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment