Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AndreasD
Participant

Cannot view previous logs after upgrade to R81

Jump to solution

Hello,

We have upgraded our Management servers (Management HA) and SmartEvent to R81 from R80.40.

Everything appears to be working as expected except searching the logs. When we try to display traffic from before the upgrade, nothing appears. This happens on the Managements and SmartEvent.

Any ideas or should I address this issue to TAC?

Thank you.

Andreas.

0 Kudos
1 Solution

Accepted Solutions
Yaakov_Ohayon
Employee
Employee

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

View solution in original post

9 Replies
Yifat_Chen
Employee
Employee

HI @AndreasD  

Known limitation in R81

Yifat_Chen_0-1620314417583.png

 

AndreasD
Participant

Hi @Yifat_Chen,

Thank you for your prompt response.

So in case we would like to utilize some information from the older logs, what could we do? Is there a workaround?

For example, in Logs & Monitor, Options -> File -> Open Log File, would that count as a workaround?

Thanks.

Andreas.

0 Kudos
AndreasD
Participant

Hi @Yifat_Chen ,

Apologies for replying without looking at the provided SK. I will have a look at it and if anything remains unclear I will reply again.

0 Kudos
AndreasD
Participant

hi@Yifat_Chen @the_rock 

I have followed the provided SK and tried to browse to yesterday in order to view logs and it appears to be working. I have set the days to index to 60 so the process will need to run for a while.

If tomorrow for example my bosses ask me to index 90 or 120 days back, would the Management and SmartEvent try to reindex what has already been indexed?

Thank you again.

0 Kudos
the_rock
Leader
Leader

I am pretty positive answer is yes, it would try to reindex them again, but TAC can confirm for you for sure!

the_rock
Leader
Leader

That sounds odd...I see the limitation, but I had not seen this issue with any customer who upgraded from R80.xx to R81. I even did it it in my lab and no problems. I really think maybe you should open TAC case to confirm.

0 Kudos
Yaakov_Ohayon
Employee
Employee

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

View solution in original post

JozkoMrkvicka
Leader
Leader

If you want to see older Firewall logs, then try to view them using old-style SmartView Tracker. As far as .fwlog files are present on the management server, you can open them using SmartView Tracker.

Kind regards,
Jozko Mrkvicka
genisis__
Advisor

Agreed - I've found this to be the fast way to view older logs.