This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2021-05-27 03:00 AM
Jump to solution

Check Point management not receiving logs

Hi,

From time to time (twice every month on avg), our management appliance doesn't receive any logs from our gateways.

We have 40+ gateways managed by our management appliance. Only solution we found so far was to reboot the management, and after that, it start to receive logs again.

Do you know the troubleshooting steps we could use to find out what's wrong next time it happens ?

Management has recently been upgraded to R81, most our gateways are either SMB or R80.30. 

Thanks in advance.

Regards,

Antoine

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-27 05:42 AM
Jump to solution

The fwd process handles receiving the logs from all your gateways on TCP/257 and writing them to disk.  If that process experiences difficulty logs can stop.  Check the $FWDIR/log/fwd.elg file on the SMS for clues about what is wrong when the logs halt; you don't necessarily need to enable a debug on fwd to see useful logs in this file.  In future if this happens again you don't need to reboot the entire SMS, just kill the fwd process on the SMS which will be restarted within 60 seconds by the Check Point Watchdog Dameon (cpwd).  Unfortunately I've had to do this many times over the years to get logs moving again.

The cpstat -f log_server mg command is quite handy for getting a real-time look at which gateways are connected to the SMS's log server via TCP/257 and the log receive rate.

There are quite a few SK's about how to troubleshoot this, but this is probably the best one: sk38848: Practical troubleshooting steps for logging issues

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

3 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-05-27 05:42 AM
Jump to solution

The fwd process handles receiving the logs from all your gateways on TCP/257 and writing them to disk.  If that process experiences difficulty logs can stop.  Check the $FWDIR/log/fwd.elg file on the SMS for clues about what is wrong when the logs halt; you don't necessarily need to enable a debug on fwd to see useful logs in this file.  In future if this happens again you don't need to reboot the entire SMS, just kill the fwd process on the SMS which will be restarted within 60 seconds by the Check Point Watchdog Dameon (cpwd).  Unfortunately I've had to do this many times over the years to get logs moving again.

The cpstat -f log_server mg command is quite handy for getting a real-time look at which gateways are connected to the SMS's log server via TCP/257 and the log receive rate.

There are quite a few SK's about how to troubleshoot this, but this is probably the best one: sk38848: Practical troubleshooting steps for logging issues

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Ob1lan
Collaborator
‎2021-05-28 01:47 AM
In response to Timothy_Hall
Jump to solution

Thanks, I'll check that next time we'll face the issue. Quite relieve to see I'm not the only one who faces that issue.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-05-28 04:40 AM
Jump to solution

Actually, there is an old CP "trick" used for this that works every single time. So, in essence, here is what you do:

-create new CP host from the objects menu (NOT an actual basic regular host, but CP host that would let you enable logging etc)

-once you see a window to set it up, ONLY enable logging and put in same IP address of your management server and simply save it, thats it, install the database

-once done, change logging on your firewall objects to log that that new host and push policy

-what this does is simply "resets" logging mechanism and if that works (which Im positive it will), leave like that for few days and then change to regular management after (you can still keep that new host in there, wont hurt)

I had seen this work every single time for the last 10 years. If you want me to show you, message me privately, happy to give you an example of it via remote session.

 

Cheers!

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events