This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Graham1
Contributor
‎2024-01-17 01:42 PM
Jump to solution

Log only partially indexing after R81.20 upgrade

I am at loss, and grasping at straws.

Single Management (VMware Open Server) server was upgraded from R81.10 to R81.20. Since then I am seeing partial log entries when using the Logs view from Logs & Monitor.
The ONLY way to view full log entries is when I open specific log files.
I am getting some http/s logs from one GW.
I am getting AD query & IPS logs from another GW(Main office), but nothing else.

Answering as many question as I can to give a full picture
All four gateways are sending their logs to this mangement server and their fw.log is NOT growing
Since I am seeing logs entries from gateways when manually opening log files, I say sk40090 DOES NOT apply
I don't think sk112162 applies either since teh GW's are not logging locally
I have no remote log servers.
Support is unable to replicate using my config and DB, so they suggested rebuiliding the VMware open server.
I have done this and still the same problem.
$RTDIR/conf/logServerConfig.xml is only showing the one IP and is the one I am expecting.
df -h /var/log = 793G free (since I rebuilt the server)
I have pushed policy on all GWs and installed DB on management
SIC status is "Communicating"

Apparently for Support the next step is R&D, but I am worried this is going to take a really long time.

Does anyone have any ideas?   Willing to try even the craziest idea at this point.

Labels
0 Kudos
1 Solution

Accepted Solutions
Graham1
Contributor
‎2024-01-18 08:47 AM
In response to Graham1
Jump to solution

So this is interesting....
I checked the management object and see that Logs> Enable Log Indexing is NOT enabled.

Every fibre in me feels like this is not right.  See screenshot.

 



View solution in original post

Preview file
12 KB
0 Kudos
7 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-18 05:01 AM
Jump to solution

Hi,

1. If you did an upgrade and your log server is not your MGMT server, please make sure to perform "Install database" operation.

2. You can stop and restart indexer to see if it solves the issue. "stopIndexer ; startIndexer ;"

3. If 1 and 2 doesn't solve the issue, look for errors in $INDEXERDIR/log/log_indexer.elg.

Kind regards, Amir Senn
0 Kudos
Graham1
Contributor
‎2024-01-18 08:15 AM
In response to Amir_Senn
Jump to solution

Thanks Amir.

1.  Log and mgmt are the same server, now and before the upgrade and server replacement.
2.  Restarting indexer was tried with support and when I do it again no resolution.
3.  I only see DNS resolution error for the log.

========================
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:Identity Awareness] will be by allowedDomainsIds from domainsIds entries
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:URL Filtering] will be by allowedDomainsIds from domainsIds entries
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:Anti-Virus] will be by allowedDomainsIds from domainsIds entries
[4108315456][18 Jan 8:12:34] POST /resolve

[4108315456][18 Jan 8:12:34] LogFields::ApplyDnsResolving ERROR field: [confidence_level] was not found, returning false.
[4108315456][18 Jan 8:12:34] LogFields::ApplyDnsResolving ERROR field: [confidence_level] was not found, returning false.
[4078959424][18 Jan 8:12:34] POST /backresolve
========================

Thanks,
Graham

0 Kudos
Graham1
Contributor
‎2024-01-18 08:47 AM
In response to Graham1
Jump to solution

So this is interesting....
I checked the management object and see that Logs> Enable Log Indexing is NOT enabled.

Every fibre in me feels like this is not right.  See screenshot.

 



Preview file
12 KB
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-01-18 06:38 PM
In response to Graham1
Jump to solution

Log indexing should be enabled to have SmartLog display logs properly.

Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-01-21 02:27 AM
In response to Graham1
Jump to solution

That solves the issue but raises another question entirely.

Did you upgrade with CPUSE package or advanced upgrade?

Is the MGMT also a GW (stand-alone)?

What are the specs of the VM?

Kind regards, Amir Senn
0 Kudos
Graham1
Contributor
‎2024-01-22 07:58 AM
In response to Amir_Senn
Jump to solution

I can confirm that since enabling log indexing, it is working as intended.

I used a cpuse package I believe by using the WebUI to upgrade.  MGMT is not a gateway.
The specs are 4 vcpus, 16GB RAM, 1TB storage.

0 Kudos
ibrown
Collaborator
‎2024-02-12 06:51 AM
In response to Graham1
Jump to solution

Just for reference, my upgraded r81.20 management server also did not have indexing set, I assume that is an upgrade 'feature'

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events