SmartLog Architecture and Tuning

So I spent this week helping Dudi create a new SK that was badly need for SmartLog. Most sites just fire and forget when starting to use SmartLog, but as you will soon find out on huge sites (we get 26 gig/day), you start running out of disk space.  So when you go digging into the smartlog_settings.txt, there are some really confusing parameters you will find that may/not help you tune disk usage. The existing SK’s are not that great, but  Dudi did a great job explaining all the parameters related to tuning disk usage.

One thing I noticed as I was editing his text was that no where in the documentation is the overall SmartLog architecture described. Maybe this is pretty obvious to y’all, but it took me a while to figure this out.  On an MDS, there are logs at the MDS level (mostly MDS mgt info only) and the DMS level. A peer Smartlog process is then run for each MDS and DMS.  The SmartLog process builds and maintains index’s for the individual MDS/DMS log files. NOTE: These are NOT firewall log files, only management information about who logged in and modifications to the rulebase.

MDS Architecture

Then there are TWO different SmartLogs you can run.  The one at the MDS level which will search through your entire MDM environment (here at the MDS level you can see the individual index’s)

Start MDS Smartlog

MDS indexes

At the DMS level, you can see only information related to your DMS. The searches will be faster and more detailed usage information is returned.

Start DMS SmartLog

dms smartlog

You can see thisMDS/DMS split when you do a ‘ps -ef | fgrep -i smartlog’. All the SmartLog processes will dump out. Then try doing a ‘mdsenv; cd $SMARTLOGDIR; pwd’ and then  ‘mdsenv <DOMAINNAME>; cd $SMARTLOGDIR; pwd’. Compare the directory names.

I think I have convinced Dudi to merge them both into one where you will be able to see usage information at the global AND the DMS level. This would make agreat competitor to crappy SEIM tools like RSA Envision, Arcsite and cool but hard to use SNMP NetFlow tools.

Second thing. Smartlog performs 4 functions:

1) Indexes new logs
2) Indexes old logs – Upon startup looks backwards
3) Services SmartLog GUI
4) Deletes old index files by looking at its peer log files

So let’s say you delete all your log  files and restart SmartLog and put a GUI on it and start doing searches. SmartLog will be a REALLY busy little beaver because it has to do all 3 functions at once. SOOOOO when you purge your logs, you may want to look at sk73361  or dink with the num_days_restriction_fetch_all_integraded (3) to limit how far back SL does history indexes.

Once again, SmartLog is the coolest tool in Check Point’s suite. For the life of me I’m not sure why they aren’t pushing it as the messiah of security/network tools. Then again, I don’t have a personal jet like Gill….

SmartLog – Index’ing your life

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: