https://community.checkpoint.com/t5/Firewall-and-Security-Management/Handling-Log-Exporter-in-Management-HA-with-dual-quot-Primary/m-p/275585#M104968 <P>Hi Everyone,<BR /><BR />Setup: Management server in HA, Hardware: open server, OS: R82.10.</P><P>I have a Management HA setup where both servers are configured as Primary Log Servers (Gateways are sending logs to both simultaneously). I've configured Log Exporter on Mgmt1 to forward to our SIEM, and it’s working fine.</P><P>The issue is failover. Our SIEM does not support deduplication, so I can't run the exporter on both management servers at the same time without doubling our data. The client also wants to keep the dual-primary logging config, so I can't switch to a Primary/Secondary log server hierarchy.</P><P>Is there a standard way to automate an "Active/Standby" behavior for the Log Exporter process? I'm looking for a way to have the exporter start on Mgmt2 only if Mgmt1 goes down, without manual CLI work.</P><P>Any scripts or best practices for tying cp_log_export to the HA state?</P><P>&nbsp;</P><P>Regards,<BR /><BR /></P><P><A href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/9282" target="_blank" rel="noopener">@Magnus-Holmberg</A>&nbsp;,&nbsp;<A href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213" target="_blank" rel="noopener">@the_rock</A>&nbsp;,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P> Thu, 16 Apr 2026 06:42:31 GMT sandeepsutar 2026-04-16T06:42:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Handling-Log-Exporter-in-Management-HA-with-dual-quot-Primary/m-p/275585#M104968 <P>Hi Everyone,<BR /><BR />Setup: Management server in HA, Hardware: open server, OS: R82.10.</P><P>I have a Management HA setup where both servers are configured as Primary Log Servers (Gateways are sending logs to both simultaneously). I've configured Log Exporter on Mgmt1 to forward to our SIEM, and it’s working fine.</P><P>The issue is failover. Our SIEM does not support deduplication, so I can't run the exporter on both management servers at the same time without doubling our data. The client also wants to keep the dual-primary logging config, so I can't switch to a Primary/Secondary log server hierarchy.</P><P>Is there a standard way to automate an "Active/Standby" behavior for the Log Exporter process? I'm looking for a way to have the exporter start on Mgmt2 only if Mgmt1 goes down, without manual CLI work.</P><P>Any scripts or best practices for tying cp_log_export to the HA state?</P><P>&nbsp;</P><P>Regards,<BR /><BR /></P><P><A href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/9282" target="_blank" rel="noopener">@Magnus-Holmberg</A>&nbsp;,&nbsp;<A href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213" target="_blank" rel="noopener">@the_rock</A>&nbsp;,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P> Thu, 16 Apr 2026 06:42:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Handling-Log-Exporter-in-Management-HA-with-dual-quot-Primary/m-p/275585#M104968 sandeepsutar 2026-04-16T06:42:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Handling-Log-Exporter-in-Management-HA-with-dual-quot-Primary/m-p/275589#M104970 <P>There's no standard way to automate this, it would require external monitoring of something and thus the external tool starting and stopping log exporter on the standby mgmt server.&nbsp;</P> <P>If the customer has their gateways configured to forward logs to the primary mgmt server at midnight (will be the default for new gateways created in R82.10 mgmt servers onwards) then the logs will all end up at the SIEM eventually, after the local logs that spool up on the gateways while the server is down are picked up and sent over. Else the recommended solution would be log distribution and a SIEM connection to both mgmt servers, but then the customer loses the duplication of logs at the log servers.</P> Thu, 16 Apr 2026 07:57:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Handling-Log-Exporter-in-Management-HA-with-dual-quot-Primary/m-p/275589#M104970 emmap 2026-04-16T07:57:08Z