This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ants
Contributor
‎2019-10-16 11:48 PM

FW logs shows in tracker but not in smartconsole logs

Hi All,

Weird scenario atm.. we have a management server (with log server) running R80.30 with 4 clusters sending logs to it al working as expected..

We added a new cluster (80.10) recently but for some weird reason I cannot see logs in the smartconsole..

I can confirm logs are being sent correctly to the sms..

If I open the console, go to 'logs & monitor', select 'new tab' and select logs and log view.. I see all the other FWs logs.. but no logs from the new cluster..

now here's the kicker..

- the new cluster's logs are showing in the tracker fine.. along with al the other FWs..

- also I can see the new cluster's logs in smartconsole only if I go to logs, select 'options', 'file' and then choose to 'open log file' and select the 'fw.log' - then i can see them.

It is just when you open the default log tab none of the logs shows.. which is using the fw.log file also.

so its only if I manually select to open the fw.log file that I can see the logs.. if that makes sense.

Could this be a bug perhaps? or maybe need to reindex?

 

any ideas?

thanks in advance.

 

0 Kudos
8 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-17 06:09 AM

I've seen this before, try performing an "Install Database" operation which should refresh the indexer.  If that doesn't work restart the indexer with the evstop ; evstart command.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Ants
Contributor
‎2019-10-17 08:05 AM
In response to Timothy_Hall

Thanks.. but have done that already.. and even rebooted management log server.. no luck 😞

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-17 09:13 AM
In response to Ants

Hmm, from the SmartConsole Logs & Monitor screen open a brand new empty logging tab, then in the lower-left corner click SmartEvent Policies and Settings.  From the new SmartEvent GUI that appears reinstall the Event Policy, then click the "System Status" hyperlink in the lower-right corner.  Any log server errors being reported?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Ants
Contributor
‎2019-10-18 06:59 AM
In response to Timothy_Hall

Checked... everything is green and sync'd... so no errors etc.

I have logged a call with CP also.. will see if they can pick anything up on it.

regards

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-18 08:38 AM
In response to Ants

OK great, please post a follow-up to this thread when the solution is found.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2019-10-30 08:32 AM
In response to Timothy_Hall

Tracker & Open Log-File via Options button are basically the same, using the Non-Index mode I/S to query the log-file directly.

the Logs view uses the log-Indexing I/S (aka SmartLog) to show the logs, so your issue seems to be there.

Indeed very strange, as existing Clusters work.

 

Let's verify this new GW/Cluster's time is synced.

and try querying for its origin specifically, like orig:<New_CtrGW_Name>.

 

 

 

0 Kudos
kaanyenilmez
Participant
‎2020-01-08 10:37 PM

Hello,


We had exactly the same problem before.

This happened after we changed the Management's IP address. Once we reverted back to the old IP address it worked as expected.

0 Kudos
_Val_
Admin
Admin
‎2020-01-09 05:04 AM

After adding a new GW object or changing IP addresses of your GWs and/or management servers, Install Database action is required to be performed on all log servers to show new / modified objects correctly.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events