SmartEvent log handling too slow-checkpoint-gaia,secureplatform

discobot · November 22, 2018, 1:40pm

SmartEvent log handling too slow-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
If SmartEvent can’t handle logs fast enough a backlog may occur, or the storage fills up. indeni will track the log handling by SmartEvent and alert if it’s too slow.

Remediation Steps:
Contact your technical support provider, mention SK92766.

How does this work?
Count the number of files in $RTDIR/distrib if it exists and determine if the number is too high.

Why is this important?
Too many files in the folder $RTDIR/distrib, could indicate an issue with the SmartEvent and SmartLog products. More information is available in the following Check Point KB articles: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk93970 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60080 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92766

Without Indeni how would you find this?
An administrator could login and manually count the files.

chkp-os-folder-file-count

name: chkp-os-folder-file-count
description: List numbe of files for a given directory
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    or:
    -   os.name: gaia
    -   os.name: secureplatform
comments:
    folder-file-count:
        why: |
            Too many files in the folder $RTDIR/distrib, could indicate an issue with the SmartEvent and SmartLog products.
            More information is available in the following Check Point KB articles:

            https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk93970
            https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60080
            https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92766
        how: |
            Count the number of files in $RTDIR/distrib if it exists and determine if the number is too high.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        file: folder-file-count.remote.1.bash
    parse:
        type: AWK
        file: folder-file-count.parser.1.awk

check_point_smartevent_log_handling_issue

package com.indeni.server.rules.library.core
import com.indeni.ruleengine.expressions.conditions.{And, Equals, GreaterThanOrEqual}
import com.indeni.ruleengine.expressions.core.{ConstantExpression, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.scope.ScopeValueExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceCategory, DeviceKey, RuleCategory, RuleContext, RuleMetadata}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class SmartEventLogHandlingRule() extends PerDeviceRule with RuleHelper {

  override val metadata: RuleMetadata = RuleMetadata.builder("check_point_smartevent_log_handling_issue", "SmartEvent log handling too slow",
    "If SmartEvent can't handle logs fast enough a backlog may occur, or the storage fills up. indeni will track the log handling by SmartEvent and alert if it's too slow.", AlertSeverity.ERROR, categories= Set(RuleCategory.VendorBestPractices), deviceCategory = DeviceCategory.CheckPointDevices).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("folder-file-count").last
    val folderPath = ScopeValueExpression("path").visible().asString().noneable

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      StatusTreeExpression(
            // The time-series we check the test condition against:
            SelectTagsExpression(context.tsDao, Set("path"), withTagsCondition("folder-file-count")),

            // The condition which, if true, we have an issue. Checked against the time-series we've collected
        StatusTreeExpression(
                // The time-series we check the test condition against:
                SelectTimeSeriesExpression[Double](context.tsDao, Set("folder-file-count"), denseOnly = false),

                // The condition which, if true, we have an issue. Checked against the time-series we've collected
                And(
                  GreaterThanOrEqual(
                    actualValue,
                    ConstantExpression(Some(100.0))),
                  Equals(folderPath, ConstantExpression(Some("$RTDIR/distrib")))
                )

          ).withRootInfo(
                getHeadline(),
                scopableStringFormatExpression("A look at $RTDIR/distrib shows there are currently %.0f logs being handled and it appears to remain at this level constantly. This may indicate a performance issue.", actualValue),
                ConditionalRemediationSteps("Contact your technical support provider, mention SK92766.")
        ).asCondition()
      ).withoutInfo().asCondition()
    ).withoutInfo()
  }
}