Support Center > Search Results > SecureKnowledge Details
Best Practices - Configuration of logging from Security Gateway to Security Management Server / Log Server
Solution
  1. Make sure that the Security Management and Log Server have sufficient disk space.

  2. Make sure that the /etc/hosts files on Security Gateway, Security Management and Log Server are properly configured. Refer to sk42952 for cluster members configuration, or to sk98977 for the single Security Gateway instructions.

    Importance of /etc/hosts file:

    Check Point software strongly relies on /etc/hosts file. If this file is not configured correctly, then various communication with Security Management Server problems might arise.

    Make sure that /etc/resolv.conf specifies the order of DNS servers.
    Refer to:

  3. In Security Management Server / Log Server "General Properties", make sure to select the "Logging & Status" checkbox:

  4. For R80.х:

    Open Security Gateway Properties -> go to Logs -> select the "Send gateway logs and alerts to server (<Management server name>)" checkbox:

    In Security Gateway Properties, go to Logs -> Local Storage and set the alert for when disk space is below the threshold (default value is 20 Mbytes):

    Note that delete threshold cannot be more than 25% of the disk. Automatically delete logs if less then 12GB are available. It is recommended to delete the old files when disk space is below 15-20%. 


    For Security Management Server:

    In Security Management Server Properties, go to Logs. Here, you can enable Log Indexing and see all the Security Gateways that send their logs to this Security Management Server:


    Go to Logs -> Storage.

    This is where we configure the Security Management Server to switch the active log file.

    Note: In the Security Management Server Properties, make sure to have it set for log switch if the Management Server is the Log server.

    Select the box "When disk space is below ... MBytes, issue alert":


    In Security Management Server Properties, go to Logs -> Additional Logging.

    Select the box "Create a new log file when the current file size is larger than" (default is 1000 MBytes). It can be scheduled for any desired time. It is best to perform the switch on a daily basis.




    If there is another Log Server and you want the Security Management Server to forward the logs to it, then select the "Forward log files to Log Server" checkbox and then select the relevant Log Server:



  5. Prior to R80.x: 

    Show / Hide this Section

    Open Security Gateway Properties -> go to Logs -> select the Security Management Server / Log Server, to which the logs should be sent.

    Note: "Use Local definitions for Masters" option is not present. Refer to sk73820.

    In Security Gateway Properties, go to Logs -> Local Storage - set the alert for when disk space is below the threshold (default value is 20 Mbytes).

    For Security Management Server:

    In Security Management Server Properties, go to Logs.

    Here, you can enable SmartLog and see all the Security Gateways that send their logs to this Security Management Server.

    Go to Logs -> Storage.

    This is where we configure the Security Management Server to switch the active log file.

    Note: In the Security Management Server Properties, make sure to have it set for log switch if the Management Server is the Log server.

    Select the box "Create a new log file when the current file size is larger than" (default is 1000 MBytes). It can be scheduled for any desired time. It is best to perform the switch on a daily basis.

    Select the box "When disk space is below ... MBytes, issue alert".


    In Security Management Server Properties, go to Logs -> Additional Logging.

    If there is another Log Server and you want the Security Management Server to forward the logs to it, then check the box "Forward log files to Log Server" and select the relevant Log Server.



  6. For versions below R75.40

    Show / Hide this Section

    For Security Gateway to log to the Security Management Server or to a Log server, in the SmartDashboard, open Security Gateway Properties - go to Logs and Masters -> Masters and select "Define Masters".

    OR select "Use Local definitions for Masters" and manually edit the $FWDIR/conf/masters file on Security Gateway.


    In Security Gateway Properties, go to Logs and Masters -> Log Servers - select your Security Management Server / Log Server.


    For Security Management server:

    In the Security Management Server "General Properties", make sure to have it set for log switch if the Management Server is the Log server.
    Select the box "Log switch when file size is" (the default value is 500 MBytes). It can be scheduled for any time and the best is to do the switch on a daily basis.


    Make sure to check the box "Alert when free disk space is below" (default is 20 MBytes).


    If there is another Log Server, and you want the Security Management Server to forward the logs to it, then check the box "Forward log files to Log Server" and select the relevant Log Server.



  7. In the SmartConsole/SmartDashboard, go to Policy menu -> click on Install Database... -> select the Security Management Server / Log Server, to which the Security Gateway(s) will be sending logs:



  8. Install the Policy on the involved Security Gateway(s).

  9. Check the logs in Logs & Monitor View / SmartView Tracker.
    Sometimes we see the logs immediately and other times it may take more or less 5 minutes.


Recommendations:

  • Enable Log forwarding once a day on all gateways. That way if local logging happens, it does not stick on the gateway forever.
  • Enable delete and stop logging threshold on gateways as well. This way they can never run full because of local logging.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment