Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cihat_Bulut
Contributor
Contributor
Jump to solution

Gateway logs on Smartlog after SMS outages

Hi,

I have network logs on my gateway when I have stopped the manager (cpstop on SMS)

On the output of my "fw log -n - p" command on gateway, I see many connection logs on that time interval. When I search the connections on my Smartlog after cpstrat of my SMS, I could not see the same connection logs on the Smartlog.

What may be the reason? Does SMS gets the logs automatically after cpstart or that I should do some manuel process?

B.R.

1 Solution

Accepted Solutions
Peter_Lyndley
Advisor
Advisor

hi,

Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.

Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.

This was the only foolproof method we found.

However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.

thanks

Peter

View solution in original post

12 Replies
G_W_Albrecht
Legend Legend
Legend

When SMS is unavailable, GWs switch to local logging. But you can manually copy the missing logs to the SMS, rebuild the index and all should be fine. Please check the document SMB security log files i wrote some time ago for details !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Cihat_Bulut
Contributor
Contributor

If I do not do this manuel process, all logs will be kept in the gateway. If I lost the gw, I will lost the logs also. I think it should be an automatic process as soon as SMS comes back online.

JozkoMrkvicka
Authority
Authority

You need to push policy and after that gateway will start logging to SMS (in case 257/tcp port is reachable towards SMS and SMS is fully cpstarted).

Kind regards,
Jozko Mrkvicka
G_W_Albrecht
Legend Legend
Legend

Where did you get that information from ? There are some cases when policy install is necessary, but here, a cprestart on SMS will do the job. Afaik GW will connect again to the SMS when logging port 257 is open again for receiving...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JozkoMrkvicka
Authority
Authority

The logic may be changed within R80.x, but as we are still using R77.30 (MDS / GW), it was observed like I described.

We are using 2 dedicated logservers, and in case 1 of them went down, the gateways will start logging locally no matter if logserver went up again in few minutes. We had to push the policy, or remove logserver which was down and push the policy to start logging only to one logserver. We will do maintenance on 1 logserver soon, so I can verify that behaviour again.

Kind regards,
Jozko Mrkvicka
Peter_Lyndley
Advisor
Advisor

hi,

Just to help here, I came across several 'issues' in R77.30 where once the logging stopped to a log server , it never restarted by itself.

Only way we found was to create a dummy object in the policy, add that as the log server, push policy, then put back the original log server object, push policy again.

This was the only foolproof method we found.

However If you want to configure gateways to send any locally collected logs to the SMS/MDS once the connection is back up, you need to go under Logs > Additional Logging on the gateway or cluster object and configure Forward Logs to Log Server and specify a time interval (midnight). This may be different in R80 but certainly worked in r77.30.

thanks

Peter

Cihat_Bulut
Contributor
Contributor

Hi Peter,

Thank you for your reply. 

As I understood, it is a scheduled (at midnight) process, gw does not send the logs as soon as the sms gets online. Am I right? Then, Is there a way to make it in that way?

BR

Peter_Lyndley
Advisor
Advisor

Hi ,

You can create a schedule object for whatever time you like

Thanks

Peter

Cihat_Bulut
Contributor
Contributor

I have scheduled as 3 minutes. It works. Thanks. Now the smartlog shows the outage logs and removes them from the gw. 

G_W_Albrecht
Legend Legend
Legend

There is a log file switch performed by default at midnight. Any other log file switches are additional.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JozkoMrkvicka
Authority
Authority

If log file reached 2GB in size, then will be switched automatically.

Kind regards,
Jozko Mrkvicka
G_W_Albrecht
Legend Legend
Legend

I see - so what i said is only true for GW sending directly to SMS only (in that deployment, logging changed to SMS again).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events