Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AndreasD
Contributor
Jump to solution

Cannot view previous logs after upgrade to R81

Hello,

We have upgraded our Management servers (Management HA) and SmartEvent to R81 from R80.40.

Everything appears to be working as expected except searching the logs. When we try to display traffic from before the upgrade, nothing appears. This happens on the Managements and SmartEvent.

Any ideas or should I address this issue to TAC?

Thank you.

Andreas.

0 Kudos
1 Solution

Accepted Solutions
Yaakov_Ohayon
Employee
Employee

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

View solution in original post

13 Replies
Yifat_Chen
Employee Alumnus
Employee Alumnus

HI @AndreasD  

Known limitation in R81

Yifat_Chen_0-1620314417583.png

 

(1)
AndreasD
Contributor

Hi @Yifat_Chen,

Thank you for your prompt response.

So in case we would like to utilize some information from the older logs, what could we do? Is there a workaround?

For example, in Logs & Monitor, Options -> File -> Open Log File, would that count as a workaround?

Thanks.

Andreas.

0 Kudos
AndreasD
Contributor

Hi @Yifat_Chen ,

Apologies for replying without looking at the provided SK. I will have a look at it and if anything remains unclear I will reply again.

0 Kudos
AndreasD
Contributor

hi@Yifat_Chen @the_rock 

I have followed the provided SK and tried to browse to yesterday in order to view logs and it appears to be working. I have set the days to index to 60 so the process will need to run for a while.

If tomorrow for example my bosses ask me to index 90 or 120 days back, would the Management and SmartEvent try to reindex what has already been indexed?

Thank you again.

0 Kudos
the_rock
Legend
Legend

I am pretty positive answer is yes, it would try to reindex them again, but TAC can confirm for you for sure!

the_rock
Legend
Legend

That sounds odd...I see the limitation, but I had not seen this issue with any customer who upgraded from R80.xx to R81. I even did it it in my lab and no problems. I really think maybe you should open TAC case to confirm.

0 Kudos
Yaakov_Ohayon
Employee
Employee

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

AndreasD
Contributor

Hello Kobi,

Just want to confirm that the above limitation has been resolved.

I am unable to find the wording in R81 known limitations.

Many thanks,

Andreas.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Installation and Upgrade section of sk166717

Also in case it's relevant to your case see also sk175223.

CCSM R77/R80/ELITE
AndreasD
Contributor

Thanks mate.

0 Kudos
the_rock
Legend
Legend

I had a case where mgmt was upgraded to R80.10 to R80.40 and then R81 and old logs are gone, but they are still available in old tracker. Whats best way to see them in R81 smart console? I found below sk, but we cant get it working this way.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

 

I also followed sk111766, so not sure if it takes 24 hours to see the logs?

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority

If you want to see older Firewall logs, then try to view them using old-style SmartView Tracker. As far as .fwlog files are present on the management server, you can open them using SmartView Tracker.

Kind regards,
Jozko Mrkvicka
genisis__
Leader Leader
Leader

Agreed - I've found this to be the fast way to view older logs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events