Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kul
Contributor

Unable to get logs on my Management server

I am here at the head office and we have R80.10 installed on the management Server

I can get logs from the firewall at my head office but i cant get any logs from the branch offices located in other places.

Uri BialikOmer ArmanKyle ReynoldsBob Bent#

Issue: Security Management Server is not receiving logs from Security Gateway.

--> Observed that 4 gateways are not forwarding the logs to the management server.
--> Disk space is fine on management server.
--> All processors all established.
--> Log server integrated with management server.
--> Management Server able to communicate over SIC with 4 Security Gateway's.
--> checked management interface in GAIA GUI showing up.
--> Cheked firewall log file fw.log growing on the both Security Gateway's.
--> Management Server listening on TCP port 257.
--> And gateways are listening on TCP port 257.
--> Done the cpstop/cpstart on the Mangement server but no luck.
--> Perform the cpstop and moved all fw.log* files from the $FWDIR/log/ to /var/tmp the ran the cpstar but no luck.
Please help me.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

On the gateway, what does netstat -an | grep 257 show you?

When all is well, you should see something like:

tcp        0      0 10.x.y.z:57439              10.a.b.c:257              ESTABLISHED

tcp        0      0 :::257                      :::*                        LISTEN      

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Can you ping the management server from the gateway?

Is your management server behind NAT? If it is, please see the following SK:
Troubleshooting "SmartCenter behind NAT" issues 

Make sure that routing is correct. If return packets are taking a different path than the incoming packets, logging can have issues.

0 Kudos
Hugo_vd_Kooij
Advisor

I would have watch -d -n1 "netstat -na| grep :257" on both a gateway and the SmartCenter.

Then fetch policy on the gateway.

If nothing stands out then you should stop and start the gateway and see if anything stands out.

While sk100538 may be helpfull it will not resolve all issues. I have seen a weird case where the TAC was scratching their heads as much as I was.

A recent HFA fixed it.But the issue was no on the list for R77.30.

So to be honest I still don't know why it was solved but it never reappeared either.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Upcoming Events

    CheckMates Events