This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
‎2024-09-10 06:58 AM

How to verify logs and log indexing

Hi everyone,

 

My customer MDS suddenly started losing logs some months ago. It was a problem related to the disk space, it seems the MDS didn't delete old logs, and when the disk was full, it started to lose the current logs. We opened a TAC case, and for solving the problem in some way, customer created a script for maintaining the disk space low and not losing logs. Yesterday, customer told me the MDS suddenly started again to work fine about the logs again, the disk space was reduced, and indexing started to work fine again. We don't know the reason yet. But, apart from the root problem, how can I verify logs and log indexing is working fine? What files do I have to check? Sorry but I am kind of newbie in Check Point.

 

Regards,

Julián

0 Kudos
16 Replies
Lesley
Authority Authority
Authority
‎2024-09-10 10:06 AM

I am getting triggered by this:

"customer created a script for maintaining the disk space low and not losing logs."

What is this script and why? The system should automatically cleanup old logs if configured correctly.

I would recommend moving away from this customer script and check the settings here:

SmartConsole -> Relevant SmartCenter mgmt object -> Logs -> Local Storage

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 10:32 AM

The Doctor Log script mentioned here might be useful: https://support.checkpoint.com/results/sk/sk181782 

fjulianom
Advisor
‎2024-09-10 11:01 AM
In response to PhoneBoy

Hi guys,

 

The problem is not easy. As said, I opened a case to TAC and didn’t find the root cause. They created a fix and it didn’t work, so my customer had to find a temporal solution. TAC continues investigating. But as said, I didn’t open this thread to investigate the root cause of the issue, because first, TAC is on it (I hope), and second, customer told me is solved (suddenly it appeared, and suddenly it disappeared). Then, apart from the root problem, do you know how can I verify logs and log indexing is working fine right know? What files do I have to check? I have no idea. Please your help.

 

Regards,

Julian

0 Kudos
Alex-
Leader Leader
Leader
‎2024-09-10 11:28 AM
In response to fjulianom

Check $INDEXERDIR/log/log_indexer.elg

0 Kudos
Lesley
Authority Authority
Authority
‎2024-09-10 11:34 AM
In response to fjulianom

Review the output of "cpstat fw -f log_connection" on the Security Gateway

Review the output of "cpstat ls -f logging" on the Log Server

Is the active firewall log file fw.log growing on the Security Gateway

  • On Gaia / SecurePlatform / Linux :

    # watch -d -n 2 "ls -l $FWDIR/log/fw.log"

Is the Security Management Server listening on TCP port 257

  • On Gaia / SecurePlatform / Linux / IPSO OS:

    # netstat -anp | grep ":257"
-------
If you like this post please give a thumbs up(kudo)! 🙂
fjulianom
Advisor
‎2024-09-10 12:11 PM
In response to Lesley

Hi,

Many thanks, I will try tomorrow.

 

Regards,

Julian

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 12:02 PM
In response to fjulianom

The Doctor Log script outputs diagnostic information that should help you determine this.
At a high level, the script returns the following:

*** Diagnostics Results ***

System Status : OK
Changes in Config Files : OK
MGMT version : OK
Registry file Corruptions : OK
Load Average : OK
Check Processes : Error
Inconsistencies Detector : OK
Connections Config : OK
GW's and Log Clients : OK
Problems in Debug Log Files : OK
Rfl/Solr Memory Report : OK
Verify FetchedFiles : OK
Maintenance Configuration : OK
Smart View Status : Warning
SmartView performance : OK
Topology View : OK
Abnormal Long Requests : OK
RFL Status Query : OK
Current Logging Rates : OK
Daily Average Logging Rates : OK
Sizing status : OK
Detects Indexing Delay : OK
Top Consuming Processes : OK
dbsync status : OK

It will show some additional information, including logging rates, top consuming processes, and issues found, as shown below.
In this case, it's a standalone gateway running R81.20 and not passing traffic (thus the warning about log rates) 🙂

Issues Found:
----------------------------

System Info:
  Attention           : Some of the server's jars are from different versions 

Registry file Corruptions:
  Possible fix        : Please refer to: sk168472 

Check Processes:
  ERROR               : RFL_SOLR_MAX_HEAP is smaller then RFL_SOLR_MIN_HEAP. 'D_SOLR' process will fail to start. 
  Possible fix        : Please refer to: sk172385 

Smart View Status:
  WARNING             : Found no data in the file: [smartview] from the last 1 hours 
                              Check the debug logging level of smartview 
                              If debug level is correct this could indicate that the process is stuck 


Current Logging Rates:
  Hint                : Indexed mode is disabled (non-indexed mode) 

Summary:
Found 1 Errors, 1 Warnings in this running configuration.

Detailed report and more can be found under /tmp/sme-diag/results

*** Diagnostic Completed ***

 

(1)
fjulianom
Advisor
‎2024-09-10 12:08 PM
In response to PhoneBoy

Hi,

Many thanks. I remember TAC requested me this script output when I opened the case. I will run again tomorrow. No impact, right?

 

Regards,

Julian

0 Kudos
just13pro
Collaborator
‎2024-09-10 10:19 PM
In response to fjulianom

There is no impact on running doctor log.

Remember to run on Management Server

0 Kudos
the_rock
Legend
Legend
‎2024-09-10 10:50 AM

The sk Phoneboy gave is super useful.

Andy

fjulianom
Advisor
‎2024-09-11 04:04 AM
In response to the_rock

Hi,

I run the doctor-log script and still many errors related to log and log indexing... so better to continue investigate the root cause of the issue.

 

Regards,

Julián

0 Kudos
the_rock
Legend
Legend
‎2024-09-11 04:24 AM
In response to fjulianom

Can you post those errors here?

Andy

0 Kudos
fjulianom
Advisor
‎2024-09-11 04:37 AM
In response to the_rock

Hi,

 

What exactly? There are many errors. I tried attaching the doctor_log_report.html and doctor_log.tar.gz files, and both extensions are not supported here.

 

Regards,

Julián

0 Kudos
the_rock
Legend
Legend
‎2024-09-11 04:38 AM
In response to fjulianom

If you message me directly, we can connect offline. I would love to have a look at the file and see if I can help further.

Andy

0 Kudos
Alex-
Leader Leader
Leader
‎2024-09-11 05:07 AM
In response to fjulianom

$INDEXERDIR/log/log_indexer.elg logs the indexing status and if there are errors you could see them in there.

However your customer might have gone too far with their custom script.

Since the Doctor Log reported issues, your best approach is to continue with TAC.

 

(1)
Amir_Senn
Employee
Employee
‎2024-09-11 11:26 AM

Not solving the issues but the file "$RTDIR/log_indexer/data/FetchedFiles" keep tracks of what part of the log files are indexed.

The numbers in the end tell you how many logs were indexed. If I remember correctly, if it ends with 3 it means it's finished indexing the file.

Example: 2 9 127.0.0.1 21 2024-09-06_235900.log 1725570000 1 5819 0 0 3

Kind regards, Amir Senn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events