Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

This might be already answered somewhere but I didn't seem to find it.

Back in the day when we "migrate" upgraded (having two servers - old and new) our MDS from R77.30 to R80, I was able to copy audit logs manually from old R77.30 VM to R80 appropriate directories and they got indexed and displayed in SmartLog without any issues

I'm talking about *.adtlog* logs, more explicitly

/var/log/mds_logs/*/log/*adtlog*

Last weekend we upgraded from R80.10 to R80.20 using migration option (basically to whole new VM) and I did the ususal - copied audit logs over manually but they don't seem to get indexed and showed in SmartLog.

Has anyone else come across this or have a good suggestion?

We did upgrade export without logs as they are way too big.

 

3 Replies
PhoneBoy
Admin
Admin

I'm guessing they, like the other logs, are indexed.
Did you import your other logs and do the usual steps to reindex?
JozkoMrkvicka
Leader
Leader

It is possible to have ONLY audit logs exported?
Are audit logs included in the exported package if -l parameter was used ?

Maybe to add a new parameter for migrate export tool, like -al parameter which will export only audit logs, without traffic logs.

Kind regards,
Jozko Mrkvicka
Kaspars_Zibarts
Authority
Authority

As I suspected indexing import has changed as of R80.20:

Starting from R80.20, only 1 day is indexed by default (fw.log only)

If you need older logs follow SK below, worked like a charm for us

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

And yes, you can copy *adtlog* only if you wanted to 🙂