This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Hoff
Contributor
‎2018-01-19 02:39 PM
Jump to solution

Issue with SmartEvent after re-IP of SMS

I recently upgraded and migrated an SMS server from R77.20 to R77.30. At the same time I migrated the server to a new DC and gave it a new IP address (used Migrate Export/Import - built new R77.30 GAIA instance before import). I have a SmartEvent Server that I also upgraded from R77.20 to R77.30 (in-place). When I connect to the SmartEvent server, it shows the status as ok and the object sync as ok, but the events received in the last minute sits at 0. If I go to the Correlation Unit and view the log server, the IP address associated with the SMS server is the old IP address. I have tried clearing the db and initiating a new sync based on SK119072 and another SK that seems to be eluding me at the moment. 

Anyone ever run into this type of an issue? Any ideas would be much appreciated. 

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2018-01-26 12:17 PM
In response to Chris_Hoff
Jump to solution

Chris, these are the notes from one of my previous migrations that may be useful:

To export the database:
-------------------------------
On R70.20 and above:

Collect EVA backup:

[Expert@HostName]# $RTDIR/bin/eva_db_backup.csh -filename /path_to/Name_of_EVA_Backup_File events_db

Store the EVA backup file together with the Check Point infrastructure backup file from Step 2 above.

For example, use TAR:

[Expert@HostName]# tar cvf CP_Backup_And_EVS_Backup.tar /path_to/CP_Backup_File.tgz /path_to/EVA_Backup_File.tgz


Collect the SmartEvent database / SmartReporter database information on the source server for verification:

[Expert@HostName]# cpstat cpsemd

Transfer the collected exported files from the source server to your target server (which has to be already fully installed and configured).
---------------------------
To Import Database:

On R70.20 and above:

Stop the SmartEvent / SmartReporter services:

[Expert@HostName]# evstop

Restore the events database:

[Expert@HostName]# $RTDIR/bin/eva_db_restore.csh -filename /path_to/Name_of_EVA_Backup_File.tgz events_db

Check the $RTDIR/conf/eventia_upgrade.C file:

[Expert@HostName]# less $RTDIR/conf/eventia_upgrade.C

If the values of the attribute 'online_status' and attribute 'background_status' are 'DONE', then delete this 'DONE' value using the Vi editor.

[Expert@HostName]# vi $RTDIR/conf/eventia_upgrade.C

Modify from
online_status (DONE)
background_status (DONE)
to
online_status ()
background_status ()
Start the SmartEvent / SmartReporter services:

[Expert@HostName]# evstart


Verify that the SmartEvent database / SmartReporter database has been restored:

Either run the following command and compare its output with the output that was collected together with the backup file:

[Expert@HostName]# cpstat cpsemd

Or connect with SmartEvent / SmartReporter GUI client to SmartEvent / SmartReporter server.


Connect with SmartEvent GUI to SmartEvent Server - go to 'Actions' menu - click on 'Install Event Policy'.

View solution in original post

0 Kudos
5 Replies
KennyManrique
Advisor
‎2018-01-19 06:01 PM
Jump to solution

Hi Chris,

First of all verify if your licenses on new migrated SMS are pointing to the right IP address.

Did you perform all mentioned steps in the sk?? Or only those of database clearing?

Peraphs you will have to manually delete and add again the log/audit servers on SmartEvent Server configuration.

Regards.

Chris_Hoff
Contributor
‎2018-01-20 07:51 AM
In response to KennyManrique
Jump to solution

I did all the steps in the SK. The other SK that I can't seem to find also had a step to clear the SmartEvent Consolidator and SmartEvent Server on the object, install database, then re-enable. I may go ahead and delete the object and re-create - obviously needing to re-establish SIC and see where that goes. Thanks for the reply!

Vladimir
Champion
Champion
‎2018-01-26 12:17 PM
In response to Chris_Hoff
Jump to solution

Chris, these are the notes from one of my previous migrations that may be useful:

To export the database:
-------------------------------
On R70.20 and above:

Collect EVA backup:

[Expert@HostName]# $RTDIR/bin/eva_db_backup.csh -filename /path_to/Name_of_EVA_Backup_File events_db

Store the EVA backup file together with the Check Point infrastructure backup file from Step 2 above.

For example, use TAR:

[Expert@HostName]# tar cvf CP_Backup_And_EVS_Backup.tar /path_to/CP_Backup_File.tgz /path_to/EVA_Backup_File.tgz


Collect the SmartEvent database / SmartReporter database information on the source server for verification:

[Expert@HostName]# cpstat cpsemd

Transfer the collected exported files from the source server to your target server (which has to be already fully installed and configured).
---------------------------
To Import Database:

On R70.20 and above:

Stop the SmartEvent / SmartReporter services:

[Expert@HostName]# evstop

Restore the events database:

[Expert@HostName]# $RTDIR/bin/eva_db_restore.csh -filename /path_to/Name_of_EVA_Backup_File.tgz events_db

Check the $RTDIR/conf/eventia_upgrade.C file:

[Expert@HostName]# less $RTDIR/conf/eventia_upgrade.C

If the values of the attribute 'online_status' and attribute 'background_status' are 'DONE', then delete this 'DONE' value using the Vi editor.

[Expert@HostName]# vi $RTDIR/conf/eventia_upgrade.C

Modify from
online_status (DONE)
background_status (DONE)
to
online_status ()
background_status ()
Start the SmartEvent / SmartReporter services:

[Expert@HostName]# evstart


Verify that the SmartEvent database / SmartReporter database has been restored:

Either run the following command and compare its output with the output that was collected together with the backup file:

[Expert@HostName]# cpstat cpsemd

Or connect with SmartEvent / SmartReporter GUI client to SmartEvent / SmartReporter server.


Connect with SmartEvent GUI to SmartEvent Server - go to 'Actions' menu - click on 'Install Event Policy'.

0 Kudos
iesnoz
Contributor
‎2023-07-24 09:19 AM
In response to Vladimir
Jump to solution

For me worked in a R81.10 to install events from "SmartEvent Settings and policy" to install event and the error shown in "Gateways and servers" showing the previous IP disappeared.

Chris_Hoff
Contributor
‎2018-02-01 01:33 PM
Jump to solution

I meant to get back here and let everyone know what eventually fixed it. Basically I did everything in SK mentioned above, but it did not matter. I ended up Resetting SIC and doing the SK along with clearing the GUI Cache and this combination seemed to have taken care of the issue. 

Thanks for everyone for the responses. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top