This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2019-10-31 03:58 AM

Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

This might be already answered somewhere but I didn't seem to find it.

Back in the day when we "migrate" upgraded (having two servers - old and new) our MDS from R77.30 to R80, I was able to copy audit logs manually from old R77.30 VM to R80 appropriate directories and they got indexed and displayed in SmartLog without any issues

I'm talking about *.adtlog* logs, more explicitly

/var/log/mds_logs/*/log/*adtlog*

Last weekend we upgraded from R80.10 to R80.20 using migration option (basically to whole new VM) and I did the ususal - copied audit logs over manually but they don't seem to get indexed and showed in SmartLog.

Has anyone else come across this or have a good suggestion?

We did upgrade export without logs as they are way too big.

 

3 Replies
PhoneBoy
Admin
Admin
‎2019-11-03 01:10 AM

I'm guessing they, like the other logs, are indexed.
Did you import your other logs and do the usual steps to reindex?
JozkoMrkvicka
Authority
Authority
‎2019-11-03 01:59 AM
In response to PhoneBoy

It is possible to have ONLY audit logs exported?
Are audit logs included in the exported package if -l parameter was used ?

Maybe to add a new parameter for migrate export tool, like -al parameter which will export only audit logs, without traffic logs.

Kind regards,
Jozko Mrkvicka
Kaspars_Zibarts
Employee Employee
Employee
‎2019-11-05 02:09 AM
In response to JozkoMrkvicka

As I suspected indexing import has changed as of R80.20:

Starting from R80.20, only 1 day is indexed by default (fw.log only)

If you need older logs follow SK below, worked like a charm for us

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

And yes, you can copy *adtlog* only if you wanted to 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top