Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Graham1
Contributor
Jump to solution

Log only partially indexing after R81.20 upgrade

I am at loss, and grasping at straws.

Single Management (VMware Open Server) server was upgraded from R81.10 to R81.20. Since then I am seeing partial log entries when using the Logs view from Logs & Monitor.
The ONLY way to view full log entries is when I open specific log files.
I am getting some http/s logs from one GW.
I am getting AD query & IPS logs from another GW(Main office), but nothing else.

Answering as many question as I can to give a full picture
All four gateways are sending their logs to this mangement server and their fw.log is NOT growing
Since I am seeing logs entries from gateways when manually opening log files, I say sk40090 DOES NOT apply
I don't think sk112162 applies either since teh GW's are not logging locally
I have no remote log servers.
Support is unable to replicate using my config and DB, so they suggested rebuiliding the VMware open server.
I have done this and still the same problem.
$RTDIR/conf/logServerConfig.xml is only showing the one IP and is the one I am expecting.
df -h /var/log = 793G free (since I rebuilt the server)
I have pushed policy on all GWs and installed DB on management
SIC status is "Communicating"

Apparently for Support the next step is R&D, but I am worried this is going to take a really long time.

Does anyone have any ideas?   Willing to try even the craziest idea at this point.

0 Kudos
1 Solution

Accepted Solutions
Graham1
Contributor

So this is interesting....
I checked the management object and see that Logs> Enable Log Indexing is NOT enabled.

Every fibre in me feels like this is not right.  See screenshot.

 



View solution in original post

0 Kudos
7 Replies
Amir_Senn
Employee
Employee

Hi,

1. If you did an upgrade and your log server is not your MGMT server, please make sure to perform "Install database" operation.

2. You can stop and restart indexer to see if it solves the issue. "stopIndexer ; startIndexer ;"

3. If 1 and 2 doesn't solve the issue, look for errors in $INDEXERDIR/log/log_indexer.elg.

Kind regards, Amir Senn
0 Kudos
Graham1
Contributor

Thanks Amir.

1.  Log and mgmt are the same server, now and before the upgrade and server replacement.
2.  Restarting indexer was tried with support and when I do it again no resolution.
3.  I only see DNS resolution error for the log.

========================
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:Identity Awareness] will be by allowedDomainsIds from domainsIds entries
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:URL Filtering] will be by allowedDomainsIds from domainsIds entries
[4099922752][18 Jan 8:12:34] RFLResolver:HandleBackResolveQueryRequest() - back resolving of field: [product:Anti-Virus] will be by allowedDomainsIds from domainsIds entries
[4108315456][18 Jan 8:12:34] POST /resolve

[4108315456][18 Jan 8:12:34] LogFields::ApplyDnsResolving ERROR field: [confidence_level] was not found, returning false.
[4108315456][18 Jan 8:12:34] LogFields::ApplyDnsResolving ERROR field: [confidence_level] was not found, returning false.
[4078959424][18 Jan 8:12:34] POST /backresolve
========================

Thanks,
Graham

0 Kudos
Graham1
Contributor

So this is interesting....
I checked the management object and see that Logs> Enable Log Indexing is NOT enabled.

Every fibre in me feels like this is not right.  See screenshot.

 



0 Kudos
emmap
Employee
Employee

Log indexing should be enabled to have SmartLog display logs properly.

Amir_Senn
Employee
Employee

That solves the issue but raises another question entirely.

Did you upgrade with CPUSE package or advanced upgrade?

Is the MGMT also a GW (stand-alone)?

What are the specs of the VM?

Kind regards, Amir Senn
0 Kudos
Graham1
Contributor

I can confirm that since enabling log indexing, it is working as intended.

I used a cpuse package I believe by using the WebUI to upgrade.  MGMT is not a gateway.
The specs are 4 vcpus, 16GB RAM, 1TB storage.

0 Kudos
ibrown
Explorer

Just for reference, my upgraded r81.20 management server also did not have indexing set, I assume that is an upgrade 'feature'

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events