About Offline Usage Log Import

Security Manager uses logs from monitored devices such as Check Point, Juniper, and Cisco firewalls for usage analysis. As soon as you install and configure your devices, SIP begins collecting those logs. But for devices that will never have connectivity, or for those devices with useful, historical usage data, you can import logs in bulk.

Please consider the following points before pursuing offline usage log import processing:

Time Stamp and Effects on Usage Data

When archived log files are imported into Security Manager, the entire log file receives a time stamp of when the file is processed by Security Manager. This means that if you import log data from last year into Security Manager, all the usage data will appear to have happened today.

Change Detection is Required

Imported log files are not evaluated for configuration changes; they are only imported and evaluated for usage data. The benefit of this behavior is that Security Manager will not receive multiple change notifications that would initiate multiple policy retrievals.

If you choose to use offline log processing for log collection (instead of monitoring for logs), you must use scheduled change detection if the device is not configured for automatic retrieval (automatic retrieval is the default method). This method ensures that Security Manager will have a current configuration from the device to match the usage data to the policy.

Impacts of Change Detection Frequency

  • Configuring scheduled change detection very frequently, e.g., every 5 minutes, could have a negative impact on system performance if you have many devices.
  • When scheduled change detection occurs, a full retrieval is not performed. In particular, Cisco ACLs are not retrieved.
  • If you have many devices with scheduled change detection, not all retrievals are done at once. The retrievals are spaced slightly apart to avoid excessive performance impact.

Change User is Not Available

When using offline log processing and scheduled change detection, Security Manager cannot associate the change with the name of the user who made the change. The User will appear as <unknown>.