This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AndreasD
Contributor
‎2021-05-06 07:48 AM
Jump to solution

Cannot view previous logs after upgrade to R81

Hello,

We have upgraded our Management servers (Management HA) and SmartEvent to R81 from R80.40.

Everything appears to be working as expected except searching the logs. When we try to display traffic from before the upgrade, nothing appears. This happens on the Managements and SmartEvent.

Any ideas or should I address this issue to TAC?

Thank you.

Andreas.

0 Kudos
1 Solution

Accepted Solutions
Yaakov_Ohayon
Employee
Employee
‎2021-05-09 12:17 AM
In response to the_rock
Jump to solution

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

View solution in original post

13 Replies
Yifat_Chen
Employee Alumnus
Employee Alumnus
‎2021-05-06 08:21 AM
Jump to solution

HI @AndreasD  

Known limitation in R81

Yifat_Chen_0-1620314417583.png

 

AndreasD
Contributor
‎2021-05-06 08:55 AM
In response to Yifat_Chen
Jump to solution

Hi @Yifat_Chen,

Thank you for your prompt response.

So in case we would like to utilize some information from the older logs, what could we do? Is there a workaround?

For example, in Logs & Monitor, Options -> File -> Open Log File, would that count as a workaround?

Thanks.

Andreas.

0 Kudos
AndreasD
Contributor
‎2021-05-06 08:58 AM
In response to Yifat_Chen
Jump to solution

Hi @Yifat_Chen ,

Apologies for replying without looking at the provided SK. I will have a look at it and if anything remains unclear I will reply again.

0 Kudos
AndreasD
Contributor
‎2021-05-06 10:32 AM
In response to Yifat_Chen
Jump to solution

hi@Yifat_Chen @the_rock 

I have followed the provided SK and tried to browse to yesterday in order to view logs and it appears to be working. I have set the days to index to 60 so the process will need to run for a while.

If tomorrow for example my bosses ask me to index 90 or 120 days back, would the Management and SmartEvent try to reindex what has already been indexed?

Thank you again.

0 Kudos
the_rock
Legend
Legend
‎2021-05-06 11:36 AM
In response to AndreasD
Jump to solution

I am pretty positive answer is yes, it would try to reindex them again, but TAC can confirm for you for sure!

the_rock
Legend
Legend
‎2021-05-06 09:31 AM
Jump to solution

That sounds odd...I see the limitation, but I had not seen this issue with any customer who upgraded from R80.xx to R81. I even did it it in my lab and no problems. I really think maybe you should open TAC case to confirm.

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2021-05-09 12:17 AM
In response to the_rock
Jump to solution

Hi all,

I'm Kobi Ohayon, from RnD.

The mentioned limitation is indeed true, since in R81 we changed our indexing system (SOLR). So when upgrading to R81, old indexes will not survive and a re-index will be needed.

As a default, we've set the re-index to 1 days back (24 hours), but of course it can be changed to whatever number of days back you like. Please notice the following:

1. If you set the day to index to 60, and then you want to extend it to 90 or 120, already indexed log files will not be re-indexed again. We will skip those files and proceed with the older ones.

2. Offline indexing consumes a lot of CPU time, and might cause log queries to temporarily be unavailable.

3. When you set the re-index for X days back, make sure the maintenance configuration will not delete those indexes right when they created. And also make sure you have enough disk space in /var/log partition.

 

Thanks.

AndreasD
Contributor
‎2021-12-01 02:57 AM
In response to Yaakov_Ohayon
Jump to solution

Hello Kobi,

Just want to confirm that the above limitation has been resolved.

I am unable to find the wording in R81 known limitations.

Many thanks,

Andreas.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-12-01 03:26 AM
In response to AndreasD
Jump to solution

Installation and Upgrade section of sk166717

Also in case it's relevant to your case see also sk175223.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2021-12-14 08:33 AM
In response to Yaakov_Ohayon
Jump to solution

I had a case where mgmt was upgraded to R80.10 to R80.40 and then R81 and old logs are gone, but they are still available in old tracker. Whats best way to see them in R81 smart console? I found below sk, but we cant get it working this way.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

 

I also followed sk111766, so not sure if it takes 24 hours to see the logs?

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2021-05-09 01:02 AM
Jump to solution

If you want to see older Firewall logs, then try to view them using old-style SmartView Tracker. As far as .fwlog files are present on the management server, you can open them using SmartView Tracker.

Kind regards,
Jozko Mrkvicka
genisis__
Mentor Mentor
Mentor
‎2021-05-09 02:19 AM
In response to JozkoMrkvicka
Jump to solution

Agreed - I've found this to be the fast way to view older logs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top