Check which gateways are logging

Ryan_Ryan · ‎2020-12-15

Hi,

I have noticed some of my gateways don't appear to be logging traffic, This am am certain was working for all gateways previously. We have 45 gateway son the management server so I would ideally like a command I can run on the log sever to see which are established so I can work through backwards.

we have 24 cloudguard gateways in hypervisor mode and it seems to be some of them that aren't working, So I cannot easily tell which ones aren't not logging, but I just know when I should be seeing traffic and I am not. The log server has plenty of disk space.

thanks

PhoneBoy · ‎2020-12-15

netstat -an should show active TCP connections with gateways that are logging.

Ryan_Ryan · ‎2020-12-15

I did some further testing and found a specific gateway that is not logging, I have an snmp alarm on that device: A "chkpntTrapOverallLSConnState" event has occurred, from CheckpointFirewall device, Security Gateway is unable to report logs to any log server fwLocalLoggingDesc = Writing logs locally due to connectivity problems fwLocalLoggingStat = 2

I can ping the log server from this gateway, and the fw.log file is not increasing either, just did an install database on the all the management servers, and a cpstart on the gateway really weird. Ive run through sk40090 without any luck either. Looks like I have 3 gateways that all stopped logging at the exact same time. netstat -an doesn't show a connection to log server

PhoneBoy · ‎2020-12-15

Don’t know that you need to delete logtrack but restarting fwd can’t hurt.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Ryan_Ryan · ‎2020-12-16

Yes I think you are right, does restarting FWD have any service impact?

I saw this in the logs which looks very similar to sk118936

-[17 Dec 15:55:49] connect_to_local_server: connected to local server successfuly
-[17 Dec 15:55:49] ....<-- connect_to_local_server
-[17 Dec 15:55:49] ...<-- connect_to_server
-[17 Dec 15:55:49] create_default_log: connected to default log server
-[17 Dec 15:55:49] ...--> disconnect_from_server
-[17 Dec 15:55:49] disconnect_from_server: default still backups other servers, don't disconnect
-[17 Dec 15:55:49] ...<-- disconnect_from_server
-[17 Dec 15:55:49] create_default_log: disconnected from default log server
-[17 Dec 15:55:49] ..<-- create_default_log
-[17 Dec 15:55:49] .<-- logbuf_write
-[17 Dec 15:55:49] .--> log_has_connected_server
-[17 Dec 15:55:49] .<-- log_has_connected_server
-[17 Dec 15:55:49] log_add_e__logclient: writes logs to local disk because overflow
-[17 Dec 15:55:49] log_add_e__logclient: 192.168.10.10 - no log is sent now
-[17 Dec 15:55:49] log_add_e__logclient: waiting for connecting callback (log_connected) to be read
-[17 Dec 15:55:49] log_add_e__logclient: Write locally ! log record number = 5342
-[17 Dec 15:55:49] .--> log_local_write
-[17 Dec 15:55:49] .<-- log_local_write
-[17 Dec 15:55:49] <-- log_add_e__logclient

PhoneBoy · ‎2020-12-16

I don’t believe so but the sk suggests doing during a maintenance window.

Ryan_Ryan · ‎2020-12-17

found another solution, removing the log server from the gateway, push policy and add it back has got he log connection back up and working now.

Are you a member of CheckMates?

Check which gateways are logging