Ken Felix Security Blog: Forcepoint SMC logserver rollup script

Saturday, September 15, 2018

Forcepoint SMC logserver rollup script

The forcepoint Security Management Center allows for you to query logs. One issues, logs can easily be pruned but no on board features for log rollup to a remote-server like a SFTP/SCP.

Here's a quick script that will allow you to run a script via cron job and on a regular interval to rollup logs from the SMC logServer to a remote scp. This a bash script

/bin/bash

# kfelix@socpuppets.com

######## LOG ROLLER IT ON UP ########

# rev 1.0

D=`date +Y%y_Moth%m_Day%d_%s`

H1="<insert the rollup SFTP/SCP server name here >

H2="<insert the rollup SFTP/SCP server name here >

# find all files older than 180days in the /usr/local/forcepoint/smc/data/storage/

LOG_DIR="/usr/local/forcepoint/smc/data/stor

age/"

find $LOG_DIR -name "*.arch" -mtime +180 > /tmp/logsarchs

# take archive list and create tarball.gz

tar czvf ROLLUP.$D.tar.gz --files-from /tmp/logsarchs

# delete listed files

cat /tmp/logsarchs | xargs rm -f

# delete logsarchs catalog text file

rm /tmp/logsarchs

# install at least two rollup destinations

scp ./ROLLUP.$D.tar.gz rollupusername:userpassword@$H1/

scp ./ROLLUP.$D.tar.gz rollupusername:userpassword@$H2/

# rm old archive gz tarball to clear up space

rm -i ROLLUP.$D.tar.gz

This can help on storage issues or before you have storage issues. You could even set a trigger based on the diskutilizaion % and have the script fire off if the disk% is 75% or more

e.g

C=` df -H | grep centos | awk '{ print $5 }' | cut -d % -f 1 `

if [ $C -lt 75 ]; then

exit

elif [ $C -gt 75 ] ; then

echo " Disk Usage is High at $C% utilization on $HOSTNAME " | mail -s " LogRoller SMC " socteam_maillist@socpuppets.com