Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

Maestro Audit Logs - Where are they?

This may seem like a silly question, but anytime you do something major on a Maestro Orchestrator/SGM that could impact production you are asked to enter your name and a reason before giving a final confirmation.  I'm on Maestro R81.10 and can't figure out where these audit logs are stored on the Orchestrators or SGMs.  The documentation claims that the /var/log/command_logger.log file has them but it is always empty; show smo audit-log comes up with nothing as a result.  When I try to run the asg log audit command if throws a usage error asking for a filename to read; guess it can't find them either.  They are not in /var/log/messages* and they aren't supposed to be anyway according to sk172923: The /var/log/messages file does not save Maestro Gaia Clish commands.  I've run exhaustive file searches in the /var partition trying to find my entered name in a far-flung log file somewhere.  Nope.  Not in the SmartConsole traffic or audit logs either.

OK I give up, where are these Maestro audit logs written and more importantly how can I access them?

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
7 Replies
Chris_Atkinson
Employee
Employee

Example Syntax

[Expert@HostName-ch0x-0x:0]# asg log --file audit


audit

If you specify the log type, the output shows all audit logs in the /var/log/ directory.

To specify a log file, enter its full path and name.

For example: /var/log/asgaudit.log.1


Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

Timothy_Hall
Champion
Champion

Thanks, the /var/log/asgaudit.log* file has what I am looking for on the Orchestrator.

However the asg log command seems to be broken, at least on the Orchestrator R81.10 with no Jumbo HFA:

audit.png

Still can't find any audit logs on the SGM, /var/log/asgaudit.log* does not exist and the following output is not correct as many changes requiring audit have recently been made:

[Expert@SG1-ch01-01:0]# asg log --file audit
No info to display.
[Expert@SG1-ch01-01:0]#

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Chris_Atkinson
Employee
Employee

If you touch or create the file do you see it start to be populated?

Otherwise TAC or try updating the Jumbo would be my remaining thoughts.

0 Kudos
_Val_
Admin
Admin

@Anatoly can you please answer?

0 Kudos
the_rock
Champion
Champion

I pretty much found same thing as @Chris_Atkinson 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

Maybe Maestro expert Lari Luoma may know.

Andy

0 Kudos
Tom_Kendrick
Employee
Employee

Just to add, I've asked internally for more info, and hopefully I will get something soon. As soon as I get the info, I'll share.

Lari_Luoma
Employee
Employee

If things don't work like documented in the Admin Guide, it's worth opening an SR with TAC to get the solution. I don't see any final answers for this so I will chase this internally a bit and comment here.


 

0 Kudos