Check Point Log Delete Script
Clean up the disk space of your Check Point firewall to ensure you don’t impact your system operations!
If you have a Check Point system, you will know from way back that you always need either a log rotate script or a log delete script. Check Point has got better since the days of Solaris 10. From the system you can now get it to rotate the logs, but the cleanup settings under R80.10 still don’t do what they are meant to do, in cleaning up the old logs.
Hence you still need to setup and run via cron a log delete script to remove logs older than x time.
I’ve provided a very cut down script below. It’s does what I need, and that is it.
Let me know what you think! Please suggest updates or improvements!
So this script works, but what to do to make it better. I’ve added a couple of suggestions…. Let me know what you think and what i can add to the list. I’ll add an updated script after this basic one below with these suggestions!
- If you have a mail server, check the disk space, and alert/mail out if the disk space is > 95%?
- Error checking?
- What else should I add?
#!/bin/bash
###########################################################################
### DELETE CHECK POINT LOG FILES OLDER THAN 3 MONTHS ###
###########################################################################
#
# Delete Check Point logs after the system has rotated the log files
# AUTHOR: Brett Gardner - https://1system.online - LATEST RELEASE: 20210803
# CODE DISCLAIMER: https://1system.online/code-disclaimer/
# VENDOR & ORIGINAL BASE SCRIPT: Check Point
# CUSTOMISED DEVICE TYPE: Check Point GAIA
# TESTED: Check Point R80.10
#
# DESCRIPTION:
# ------------
# This script deletes log files that are older than 3 months.
#
# Reference: Check Point Solution ID sk77300
# Above variables do not work for VSX (see sk for reference)
#
# Clish: Create userid to run cron
# HostName> add user cronuser uid 0 homedir /home/cronuser
# HotsName> save config
#
### Format of log files to delete:
# Path: /var/log/disk2/
# 2020-12-31_224903_5008.log
# 2020-12-31_224903_5008.log_stats
# 2020-12-31_224903_5008.logaccount_ptr
# 2020-12-31_224903_5008.loginitial_ptr
# 2020-12-31_224903_5008.logptr
# 2020-12-07_000000.adtlog
# 2020-12-06_000000.adtlogaccount_ptr
# testcpsms01__2020-11-24_000000.adtloginitial_ptr
# testcpsms01__2020-12-02_000000.adtlogptr
#
###########################################################################
###########################################################################
# Crontab Entry Required:
# Create cronjob: crontab -u cronuser -e
# File location: /var/spool/cron/cronuser
# 0 3 */1 * * /bin/cplogdelete
# Test run the cronjob: crontab -u cronuser -l
#
###########################################################################
###########################################################################
# Dependent Files & Scripts Required for Script to Operate
# -Checkpoint environment script: /opt/CPshrd-R60/tmp/.CPprofile.sh
# -Mail must be configured
###########################################################################
# Export the CP environment variables
source /opt/CPshrd-R80/tmp/.CPprofile.sh
# Set the variables
days=$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))
###########################################################################
# Find and delete log files
#
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.log' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.log_stats' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.logaccount_ptr' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.loginitial_ptr' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.logptr' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.adtlog' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.adtlogaccount_ptr' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.adtloginitial_ptr' -type f -mtime +$days -delete
find /var/log/disk2/log/ -path '/var/log/disk2/log/*.adtlogptr' -type f -mtime +$days -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.log' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.log_stats' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.logaccount_ptr' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.loginitial_ptr' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.logptr' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*.adtlog' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))" -delete
# Generic find
# find /var/log/disk2/log/ -path '/var/log/disk2/log/*' -type f -mtime "+$(( ( $(date '+%s') - $(date -d '3 months ago' '+%s') ) / 86400 ))"
Below is the updated script, where I will incorporate the suggestions made to improve it!
Until I get to the revision, here is a log rotation script I authored for Check Point R55. I’ll update this and lab test it for a new version of Check Point.
#!/bin/bash
###########################################################################
### ARCHIVE CHECKPOINT LOGS AND MAIL OUT DISK SPACE ###
###########################################################################
#
# Edited for Checkpoint Firewall-1 NGX-R55 on Solaris 9
# Revision underway
# File Name: cplogarchive.sh
# File Location: /usr/local/sbin/
# Version: 1.0
#
# DESCRIPTION:
# ------------
# Original author: Brett Gardner
# Revision: Matt Cobb
# Second revision: Brett Gardner
#
# Functionality was changed to remove manual log rotation which is now
# handled by CP GUI.
# Archiving of logs now performed on logs older than 7 days, which means
# that all logs from the current week and one previous week should be
# accessible via SmartTracker
#
###########################################################################
###########################################################################
# UPDATE HISTORY
#
# DATE UPDATED BY VER# DETAIL
# 2021 underway Brett Gardner 1.0 Script creation
#
###########################################################################
###########################################################################
# Crontab Entry Required:
# Archive CP logs every Monday at 01:00
# 00 01 * * 1 /usr/local/sbin/cplogarchive.sh
#
###########################################################################
###########################################################################
# Dependent Files & Scripts Required for Script to Operate
# -Checkpoint environment script: /opt/CPshrd-R60/tmp/.CPprofile.sh
# -Mail must be configured
###########################################################################
# Export the CP environment variables
. /opt/CPshrd-R55/tmp/.CPprofile.sh
# Set the working directory for this script
cd $FWDIR/log
# Set the constants
cEmailBody=/tmp/tmp.$$.txt
cTarList=/tmp/tarlist.$$.txt
cDaysToKeep=7
cExpectedCount=7
cHostname=`/usr/bin/hostname`
cDate=`/bin/date +%Y%b%d`
cFilename=./archive/$cHostname-fwlog-$cDate-$$
cSuccessEmailList=test@test.com
cErrorEmailList=test@test.com
#cErrorEmailList=test@test.com,test2@test.com,test3@test.com
# Set the variables
vActualCount=`find . -mtime +$cDaysToKeep -name '*.log' | wc -l | tr -d " "`
vErrorCode=0
# Initialise the temporary files
touch $cEmailBody
touch $cTarList
###########################################################################
# List and archive log files
#
if [ "$vActualCount" -ne "$cExpectedCount" ]; then
# Set error code for unexpected file search result
vErrorCode=1
echo -e "\nERROR: The log archive script expects to find $cExpectedCount log files to archive, but found $vActualCount!"
echo "A full error report will be emailed to the QF Firewall Team."
else
# Find all files with extension ".log" which have not been modified for $cDaysToKeep days
# Then add all the "logaccount_ptr", "loginitial_ptr", etc files to the list of files to tar
for i1 in `find . -mtime +$cDaysToKeep -name '*.log'`; do
echo "`ls -1 $i1*`" >> $cTarList
done
echo "Tar'ing files into $cFilename.tar...."
tar -cvf $cFilename.tar -I $cTarList
if [ $? -ne 0 ]; then
# Set error code for tar error/warning
vErrorCode=2
echo -e "\nERROR: There was an error/warning when attempting to complete the tar operation"
echo "A full error report will be emailed to the QF Firewall Team."
else
echo "Gzip'ing tarfile...."
gzip -9 $cFilename.tar
if [ $? -ne 0 ]; then
# Set error code for gzip error/warning
vErrorCode=3
echo -e "\nERROR: There was an error/warning when attempting to complete the gzip operation"
echo "A full error report will be emailed to the QF Firewall Team."
else
echo "Tarfile gzipped successfully!"
# Need to start generating successful email body before deleting original files (to get long listing)
echo "##### The firewall logs for $cHostname have been archived #####" >> $cEmailBody
echo -e "\nThe following $vActualCount log files were archived:" >> $cEmailBody
echo "`find . -mtime +$cDaysToKeep -name '*.log' -ls`" >> $cEmailBody
echo -e "\nAlong with their associated pointer files:" >> $cEmailBody
# Get long listing of associated pionter files
echo "`find . -name 'archive' -prune -o -mtime +$cDaysToKeep -a -name '*.log*' -a ! -name '*.log' -ls`" >> $cEmailBody
# Delete all files which have been archived
for i2 in `cat $cTarList`; do
rm $i2
done
fi
fi
fi
###########################################################################
# Mail out info - Report errors if any occurred
#
case $vErrorCode in
0)
echo -e "\nThe gzipped file is:\n`ls -alp $cFilename*`" >> $cEmailBody
echo -e "\n---------------" >> $cEmailBody
echo -e "Running uptime:\n`uptime`" >> $cEmailBody
echo -e "\n$cHostname disk space as of $cDate:\n`df -h`\n\n\n" >> $cEmailBody
/bin/mailx -s "$cHostname logs archived on $cDate" $cSuccessEmailList < $cEmailBody
if [ $? -ne 0 ]; then
# Note: I may try and generate an SNMP trap here in future
echo -e "\nERROR: There was a problem sending the report with mailx, please investigate"
echo -e "\nHere are the contents of the Email file:\n`cat $cEmailBody`"
fi
;;
1)
rm $cEmailBody; touch $cEmailBody
echo "##### ATTENTION! There has been an error archiving the firewall logs for $cHostname #####" >> $cEmailBody
echo -e "\nThe log archive script expects to find $cExpectedCount log files to archive, but found $vActualCount!" >> $cEmailBody
echo -e "\nThe following log files were found:" >> $cEmailBody
echo "`find . -mtime +$cDaysToKeep -name '*.log' -ls`" >> $cEmailBody
echo -e "\nInvestigate this error, then run cplogarchive.sh again, TODAY!\n\n\n" >> $cEmailBody
/bin/mailx -s "ERROR: $cHostname logs failed to archive on $cDate" $cErrorEmailList < $cEmailBody
if [ $? -ne 0 ]; then
# Note: I may try and generate an SNMP trap here in future
echo -e "\nERROR: There was a problem sending the report with mailx, please investigate"
echo -e "\nHere are the contents of the Email file:\n`cat $cEmailBody`"
fi
;;
2)
rm $cEmailBody; touch $cEmailBody
echo "##### ATTENTION! There has been an error archiving the firewall logs for $cHostname #####" >> $cEmailBody
echo -e "\nThere was an error/warning when attempting to tar the following files in $FWDIR/log:" >> $cEmailBody
cat $cTarList >> $cEmailBody
if [ -e "$cFilename.tar" ]; then
rm $cFilename.tar # Remove tar file to save disk space, probably corrupt/incomplete anyway
if [ $? -ne 0 ]; then
echo -e "\nERROR: Could not delete failed tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`"
echo -e "\nERROR: Could not delete failed tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`" >> $cEmailBody
else
echo -e "\nSuccessfully deleted failed tar file: $cFilename.tar"
echo -e "\nSuccessfully deleted failed tar file: $cFilename.tar" >> $cEmailBody
fi
else
echo -e "\nFYI: Sometimes a partial tar file is created and needs to be deleted, but no tar file was created as a result of this error."
echo -e "\nFYI: Sometimes a partial tar file is created and needs to be deleted, but no tar file was created as a result of this error." >> $cEmailBody
fi
echo -e "\nInvestigate this error, then run cplogarchive.sh again, TODAY!\n\n\n" >> $cEmailBody
/bin/mailx -s "ERROR: $cHostname logs failed to archive on $cDate" $cErrorEmailList < $cEmailBody
if [ $? -ne 0 ]; then
# Note: I may try and generate an SNMP trap here in future
echo -e "\nERROR: There was a problem sending the report with mailx, please investigate"
echo -e "\nHere are the contents of the Email file:\n`cat $cEmailBody`"
fi
;;
3)
rm $cEmailBody; touch $cEmailBody
echo "##### ATTENTION! There has been an error archiving the firewall logs for $cHostname #####" >> $cEmailBody
echo -e "\nThere was an error/warning when attempting to gzip the following tar file in $FWDIR/log:" >> $cEmailBody
echo "$cFilename.tar" >> $cEmailBody
if [ -e "$cFilename.tar" -a -e "$cFilename.tar.gz" ]; then
rm $cFilename.tar # Remove tar file to save disk space, probably corrupt/incomplete anyway
if [ $? -ne 0 ]; then
echo -e "\nERROR: Could not delete the tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`"
echo -e "\nERROR: Could not delete the tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`" >> $cEmailBody
else
echo -e "\nSuccessfully deleted tar file: $cFilename.tar"
echo -e "\nSuccessfully deleted tar file: $cFilename.tar" >> $cEmailBody
fi
rm $cFilename.tar.gz # Remove gz file to save disk space, probably corrupt/incomplete anyway
if [ $? -ne 0 ]; then
echo -e "\nERROR: Could not delete the failed gz file: $cFilename.tar.gz\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar.gz`"
echo -e "\nERROR: Could not delete the failed gz file: $cFilename.tar.gz\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar.gz`" >> $cEmailBody
else
echo -e "\nSuccessfully deleted failed gz file: $cFilename.tar.gz"
echo -e "\nSuccessfully deleted failed gz file: $cFilename.tar.gz" >> $cEmailBody
fi
elif [ -e "$cFilename.tar" ]; then
rm $cFilename.tar # Clean up tar file which failed to gzip
if [ $? -ne 0 ]; then
echo -e "\nERROR: Could not delete the tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`"
echo -e "\nERROR: Could not delete the tar file: $cFilename.tar\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar`" >> $cEmailBody
else
echo -e "\nSuccessfully deleted tar file: $cFilename.tar"
echo -e "\nSuccessfully deleted tar file: $cFilename.tar" >> $cEmailBody
fi
echo -e "\nFYI: Sometimes a partial gz file is created and needs to be deleted, but no gz file was created as a result of this error."
echo -e "\nFYI: Sometimes a partial gz file is created and needs to be deleted, but no gz file was created as a result of this error." >> $cEmailBody
elif [ -e "$cFilename.tar.gz" ]; then
echo -e "\nFYI: Seems that the gz file has replaced the tar file OK, but compressed gz file may be incomplete/corrupted due to gzip error/warning."
echo -e "File $cFilename.tar.gz will be deleted. Please investigate cause of error/warning ASAP."
echo -e "\nFYI: Seems that the gz file has replaced the tar file OK, but compressed gz file may be incomplete/corrupted due to gzip error/warning." >> $cEmailBody
echo -e "File $cFilename.tar.gz will be deleted. Please investigate cause of error/warning ASAP." >> $cEmailBody
rm $cFilename.tar.gz # Remove gz file to save disk space, probably corrupt/incomplete anyway
if [ $? -ne 0 ]; then
echo -e "\nERROR: Could not delete the failed gz file: $cFilename.tar.gz\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar.gz`"
echo -e "\nERROR: Could not delete the failed gz file: $cFilename.tar.gz\nPlease investigate and manually delete ASAP:\n`ls -l $cFilename.tar.gz`" >> $cEmailBody
else
echo -e "\nSuccessfully deleted failed gz file: $cFilename.tar.gz"
echo -e "\nSuccessfully deleted failed gz file: $cFilename.tar.gz" >> $cEmailBody
fi
else
echo -e "\nERROR: Both files $cFilename.tar and $cFilename.tar.gz do not exist! Please investigate ASAP cos that's REALLY weird!"
echo -e "\nERROR: Both files $cFilename.tar and $cFilename.tar.gz do not exist! Please investigate ASAP cos that's REALLY weird!" >> $cEmailBody
fi
echo -e "\nInvestigate this error, then run cplogarchive.sh again, TODAY!\n\n\n" >> $cEmailBody
/bin/mailx -s "ERROR: $cHostname logs failed to archive on $cDate" $cErrorEmailList < $cEmailBody
if [ $? -ne 0 ]; then
# Note: I may try and generate an SNMP trap here in future
echo -e "\nERROR: There was a problem sending the report with mailx, please investigate"
echo -e "\nHere are the contents of the Email file:\n`cat $cEmailBody`"
fi
;;
esac
###########################################################################
# Cleanup & Set exit code
#
rm $cEmailBody
rm $cTarList
exit $vErrorCode