- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Log exporter no forwarding regurlarly since up...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log exporter no forwarding regurlarly since upgrading to R81.10
We have recently upgraded to R81.10 and I have restored the backup of the Log exporter . However, since the upgrade, the log exporter doesnt seem to be forwarding traffic on a constant basis. I can only see traffic on the logs that the log exporter is forwarding it about every 12 hours and it works when there is traffic seen (destination is receiving the data). Im trying to find where is the timing interval is configured as I cant see in the configuration what it sets up to.
- Labels:
-
Logging
-
Multi-Domain
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can now confirm that since running the command cp_log_export reconf and restarting the log exporter, this is now working as expected (frequent data sent instead of in batches). Thank you very much for all your responses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify are you using accounting with the rules or perhaps I don't understand the issue/symptom fully?
Refer:
https://community.checkpoint.com/t5/Management/Log-Accounting/m-p/107250
https://community.checkpoint.com/t5/Management/Log-tracking-and-account-timers/m-p/108010
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run cp_log_export show, check the target-server and target-port configured and then run a tcpdump to confirm the log server is sending traffic on the port to the target.
Where are you exporting to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the tcpdump and am not seeing constant traffic sent to the target. I see in on the firewall logs where the traffic to the target is hitting and this is matching the frequency being received by the target. Having said that, this wasnt the case prior to upgrade to R81.10. attached is the previous config and the current config of the log exporter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Just found, that we have the same problem. We upgraded MDS from R80.30 to R81.10 and log_exporters are no more working.
EDIT: In our case, the reason was simply, that firewall in front of SIEM was blocking traffic from cma addresses. Previously rule had only mds main address as src.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log exporter seems to stop sending traffic after some time. tcpdump doesnt show any output and when log exporter is restarted, it starts sending traffic again. When left out, it seems to start sending traffic at times and when it does it works just fine. I have logged a TAC case already and is being investigated by them . This is on R81.10 with JHF take 66 installed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to understand how to try and reproduce your issue so we can investigate it. Can you please share some more details on your issue:
- From which version did you upgrade?
- How was your environment upgraded - using CUSE or advance upgrade?
- You wrote you restored the backup of log exporter. Do you mean you ran “cp_log_export reconf” post upgrade or did you use a different method?
- When logs start to be forwarded again how long does it take until they stop?
- When logs start to be forwarded again are all previously missing logs being forwarded or only the currently created new logs are forwarded?
- When you write that “it works when there is traffic seen (destination is receiving the data)” do you mean that there are logs of certain traffic that do get forwarded?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- From which version did you upgrade? R80.30 to R81.10 (tested on R81.10 JHF Take 66 too but that had the same issue too)
- How was your environment upgraded - using CUSE or advance upgrade? Upgraded using CPUSE
- You wrote you restored the backup of log exporter. Do you mean you ran “cp_log_export reconf” post upgrade or did you use a different method? using sk127653 .
- When logs start to be forwarded again how long does it take until they stop? about 5 minutes
- When logs start to be forwarded again are all previously missing logs being forwarded or only the currently created new logs are forwarded? Not 100% as we are only looking at the timing of the traffic sent . Ill have to confirm with end user
- When you write that “it works when there is traffic seen (destination is receiving the data)” do you mean that there are logs of certain traffic that do get forwarded? Yes, when we see traffic from the log server (from tcpdump) the logs are being received.
I have also tried running cp_log_export reconf and restarting the log exporter, it starts exporting data and then after a while, it stops again (tcpdump shows nothing )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. We'll try to reproduce the issue on our environment and investigate it. Just 1 more question to make sure: Are the exporters on MDS or MLM?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Arnon. I have just an update for this. I may not have ran the command "cp_log_export reconf" post upgrade but rather just restarted the log exporter (cp_log_export restart. so I ran the command again and restarted the log exporter. That seem to have now kept it going at a regular intervals now. Also, before this, the data being received contains all the logs so it seems to be just sending it in batches previously. This is now been resolved and seem to ssending it on a regular basis. Will observe this until tomorrow and confirm that its all rectified.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
By the way - Are the exporters on MDS or MLM?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exporters are in the Multidomain log server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was there any change since your last update?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can now confirm that since running the command cp_log_export reconf and restarting the log exporter, this is now working as expected (frequent data sent instead of in batches). Thank you very much for all your responses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the update!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'll appreciate your response to Arnon's questions so we will be able to understand better the issue and try to assist.