Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

Maestro Audit Logs - Where are they?

This may seem like a silly question, but anytime you do something major on a Maestro Orchestrator/SGM that could impact production you are asked to enter your name and a reason before giving a final confirmation.  I'm on Maestro R81.10 and can't figure out where these audit logs are stored on the Orchestrators or SGMs.  The documentation claims that the /var/log/command_logger.log file has them but it is always empty; show smo audit-log comes up with nothing as a result.  When I try to run the asg log audit command if throws a usage error asking for a filename to read; guess it can't find them either.  They are not in /var/log/messages* and they aren't supposed to be anyway according to sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands.  I've run exhaustive file searches in the /var partition trying to find my entered name in a far-flung log file somewhere.  Nope.  Not in the SmartConsole traffic or audit logs either.

OK I give up, where are these Maestro audit logs written and more importantly how can I access them?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

Example Syntax

[Expert@HostName-ch0x-0x:0]# asg log --file audit


audit

If you specify the log type, the output shows all audit logs in the /var/log/ directory.

To specify a log file, enter its full path and name.

For example: /var/log/asgaudit.log.1


Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

CCSM R77/R80/ELITE
Timothy_Hall
Champion
Champion

Thanks, the /var/log/asgaudit.log* file has what I am looking for on the Orchestrator.

However the asg log command seems to be broken, at least on the Orchestrator R81.10 with no Jumbo HFA:

audit.png

Still can't find any audit logs on the SGM, /var/log/asgaudit.log* does not exist and the following output is not correct as many changes requiring audit have recently been made:

[Expert@SG1-ch01-01:0]# asg log --file audit
No info to display.
[Expert@SG1-ch01-01:0]#

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Chris_Atkinson
Employee Employee
Employee

If you touch or create the file do you see it start to be populated?

Otherwise TAC or try updating the Jumbo would be my remaining thoughts.

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin

@Anatoly can you please answer?

0 Kudos
the_rock
Legend
Legend

I pretty much found same thing as @Chris_Atkinson 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

Maybe Maestro expert Lari Luoma may know.

Andy

0 Kudos
Tom_Kendrick
Employee
Employee

Just to add, I've asked internally for more info, and hopefully I will get something soon. As soon as I get the info, I'll share.

Lari_Luoma
Ambassador Ambassador
Ambassador

If things don't work like documented in the Admin Guide, it's worth opening an SR with TAC to get the solution. I don't see any final answers for this so I will chase this internally a bit and comment here.