- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Gateway logs on Smartlog after SMS outages
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gateway logs on Smartlog after SMS outages
Hi,
I have network logs on my gateway when I have stopped the manager (cpstop on SMS)
On the output of my "fw log -n - p" command on gateway, I see many connection logs on that time interval. When I search the connections on my Smartlog after cpstrat of my SMS, I could not see the same connection logs on the Smartlog.
What may be the reason? Does SMS gets the logs automatically after cpstart or that I should do some manuel process?
B.R.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.
Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.
This was the only foolproof method we found.
However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.
thanks
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When SMS is unavailable, GWs switch to local logging. But you can manually copy the missing logs to the SMS, rebuild the index and all should be fine. Please check the document SMB security log files i wrote some time ago for details !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I do not do this manuel process, all logs will be kept in the gateway. If I lost the gw, I will lost the logs also. I think it should be an automatic process as soon as SMS comes back online.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to push policy and after that gateway will start logging to SMS (in case 257/tcp port is reachable towards SMS and SMS is fully cpstarted).
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you get that information from ? There are some cases when policy install is necessary, but here, a cprestart on SMS will do the job. Afaik GW will connect again to the SMS when logging port 257 is open again for receiving...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logic may be changed within R80.x, but as we are still using R77.30 (MDS / GW), it was observed like I described.
We are using 2 dedicated logservers, and in case 1 of them went down, the gateways will start logging locally no matter if logserver went up again in few minutes. We had to push the policy, or remove logserver which was down and push the policy to start logging only to one logserver. We will do maintenance on 1 logserver soon, so I can verify that behaviour again.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.
Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.
This was the only foolproof method we found.
However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.
thanks
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
Thank you for your reply.
As I understood, it is a scheduled (at midnight) process, gw does not send the logs as soon as the sms gets online. Am I right? Then, Is there a way to make it in that way?
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
You can create a schedule object for whatever time you like
Thanks
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have scheduled as 3 minutes. It works. Thanks. Now the smartlog shows the outage logs and removes them from the gw.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a log file switch performed by default at midnight. Any other log file switches are additional.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If log file reached 2GB in size, then will be switched automatically.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see - so what i said is only true for GW sending directly to SMS only (in that deployment, logging changed to SMS again).