Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tu2pel
Contributor
Jump to solution

Log exporter no forwarding regurlarly since upgrading to R81.10

We have recently upgraded to R81.10 and I have restored the backup of the Log exporter . However, since the upgrade, the log exporter doesnt seem to be forwarding traffic on a constant basis. I can only see traffic on the logs that the log exporter is forwarding it about every 12 hours and it works when there is traffic seen (destination is receiving the data). Im trying to find where is the timing interval is configured as I cant see in the configuration what it sets up to. 

0 Kudos
1 Solution

Accepted Solutions
Tu2pel
Contributor

I can now confirm that since running the command cp_log_export reconf and restarting the log exporter, this is now working as expected (frequent data sent instead of in batches). Thank you very much for all your responses.

View solution in original post

0 Kudos
15 Replies
Chris_Atkinson
Employee Employee
Employee

Just to clarify are you using accounting with the rules or perhaps I don't understand the issue/symptom fully?

 

Refer:

https://community.checkpoint.com/t5/Management/Log-Accounting/m-p/107250 
https://community.checkpoint.com/t5/Management/Log-tracking-and-account-timers/m-p/108010 

CCSM R77/R80/ELITE
0 Kudos
Simon_Macpherso
Advisor

Can you run cp_log_export show, check the target-server and target-port configured and then run a tcpdump to confirm the log server is sending traffic on the port to the target.  

Where are you exporting to? 

0 Kudos
Tu2pel
Contributor

I ran the tcpdump and am not seeing constant traffic sent to the target.  I see in on the firewall logs where the traffic to the target is hitting and this is matching the frequency being received by the target. Having said that, this wasnt the case prior to upgrade to R81.10. attached is the previous config and the current config of the log exporter

0 Kudos
Arskazv
Participant

Hi!

Just found, that we have the same problem. We upgraded MDS from R80.30 to R81.10 and log_exporters are no more working.

EDIT: In our case, the reason was simply, that firewall in front of SIEM was blocking traffic from cma addresses. Previously rule had only mds main address as src.

0 Kudos
Tu2pel
Contributor

The log exporter seems to stop sending traffic after some time. tcpdump doesnt show any output and when log exporter is restarted, it starts sending traffic again. When left out, it seems to start sending traffic at times and when it does it works just fine. I have logged a TAC case already and is being investigated by them . This is on R81.10 with JHF take 66 installed. 

0 Kudos
Arnon_Berman
Employee
Employee

Hello,

I would like to understand how to try and reproduce your issue so we can investigate it. Can you please share some more details on your issue:

  • From which version did you upgrade?
  • How was your environment upgraded - using CUSE or advance upgrade?
  • You wrote you restored the backup of log exporter. Do you mean you ran “cp_log_export reconf” post upgrade or did you use a different method?
  • When logs start to be forwarded again how long does it take until they stop?
  • When logs start to be forwarded again are all previously missing logs being forwarded or only the currently created new logs are forwarded?
  • When you write that “it works when there is traffic seen (destination is receiving the data)” do you mean that there are logs of certain traffic that do get forwarded?
0 Kudos
Tu2pel
Contributor
  • From which version did you upgrade? R80.30 to R81.10 (tested on R81.10 JHF Take 66 too but that had the same issue too)
  • How was your environment upgraded - using CUSE or advance upgrade? Upgraded using CPUSE
  • You wrote you restored the backup of log exporter. Do you mean you ran “cp_log_export reconf” post upgrade or did you use a different method? using sk127653 . 
  • When logs start to be forwarded again how long does it take until they stop? about 5 minutes
  • When logs start to be forwarded again are all previously missing logs being forwarded or only the currently created new logs are forwarded? Not 100% as we are only looking at the timing of the traffic sent . Ill have to confirm with end user
  • When you write that “it works when there is traffic seen (destination is receiving the data)” do you mean that there are logs of certain traffic that do get forwarded? Yes, when we see traffic from the log server (from tcpdump) the logs are being received. 

I have also tried running cp_log_export reconf and restarting the log exporter, it starts exporting data and then after a while, it stops again (tcpdump shows nothing )

 

0 Kudos
Arnon_Berman
Employee
Employee

Thank you. We'll try to reproduce the issue on our environment and investigate it. Just 1 more question to make sure: Are the exporters on MDS or MLM?

0 Kudos
Tu2pel
Contributor

Thanks Arnon. I have just an update for this. I may not have ran the command "cp_log_export reconf" post upgrade but rather just restarted the log exporter (cp_log_export restart. so I ran the command again and restarted the log exporter. That seem to have now kept it going at a regular intervals now. Also, before this, the data being received contains all the logs so it seems to be just sending it in batches previously. This is now been resolved and seem to ssending it on a regular basis. Will observe this until tomorrow and confirm that its all rectified. 

0 Kudos
Ido_Shoshana
Employee
Employee

Thanks!

By the way - Are the exporters on MDS or MLM?

0 Kudos
Tu2pel
Contributor

The exporters are in the Multidomain log server

0 Kudos
Arnon_Berman
Employee
Employee

Was there any change since your last update?

0 Kudos
Tu2pel
Contributor

I can now confirm that since running the command cp_log_export reconf and restarting the log exporter, this is now working as expected (frequent data sent instead of in batches). Thank you very much for all your responses.

0 Kudos
Arnon_Berman
Employee
Employee

Thank you for the update!

0 Kudos
Ido_Shoshana
Employee
Employee

Hi 

I'll appreciate your response to Arnon's questions so we will be able to understand better the issue and try to assist.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events