This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
starmen2000
Collaborator
Collaborator
‎2024-01-17 12:55 PM

Log view problem after upgrade to R81.20

Hi Mates,

We upgraded the Management Server from R81.10 to R81.20. However, post-upgrade, we observed an issue related to Log view. In order to view logs from before the upgrade, we have to open a specific log file. Consequently, we are unable to see the previous logs without opening a specific log file.

Is this behavior normal, or do we need to take any additional steps to view previous logs without opening a log file?

Thanks

9 Replies
emmap
Employee
Employee
‎2024-01-17 05:28 PM

If you follow the 'To change log indexing settings' steps from here it should reindex the older log files back as far as you specify,

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGu...

0 Kudos
starmen2000
Collaborator
Collaborator
‎2024-01-18 12:27 AM
In response to emmap

Unfortunately it did not help. I think  To change log indexing settings affect the system after upgrade, as I see from this sk. https://support.checkpoint.com/results/sk/sk111766  it is also similar issue.

0 Kudos
Amir_Senn
Employee
Employee
‎2024-01-18 04:59 AM
In response to starmen2000

Hi,

No need to change index settings, R81.10 and R81.20 run on same SOLR version so no need to re-index.

Though if you can open log files but see nothing without it, it's 99% indexer issue.

1. If you did an upgrade and your log server is not your MGMT server, please make sure to perform "Install database" operation.

2. You can stop and restart indexer to see if it solves the issue. "stopIndexer ; startIndexer ;"

3. If 1 and 2 doesn't solve the issue, look for errors in $INDEXERDIR/log/log_indexer.elg.

Kind regards, Amir Senn
cem82
Contributor
‎2024-02-10 01:07 AM

Don't know if it would still apply for R81.20 but have had similar behavior in R81.10 (not after an upgrade) and needed to rebuild the index.  It can take a while to rebuild the index though so might pay to test out on a specific log file first https://support.checkpoint.com/results/sk/sk164553

Or what we had to do for all log files

evstop
rm -r $RTDIR/log_indexes/other*
rm -r $RTDIR/log_indexes/audit*
rm -r $RTDIR/log_indexes/firewallandvpn*
rm -r $RTDIR/log_indexes/smartevent*
rm $INDEXERDIR/data/FetchedFiles
evstart

 

May also check out https://support.checkpoint.com/results/sk/sk167895

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 10:53 AM
In response to cem82

I believe it would be the same, correct.

Andy

0 Kudos
Amir_Senn
Employee
Employee
‎2024-02-12 01:35 AM
In response to cem82

I wouldn't recommend this unless you're completely certain. This will delete all your indexes which will cause your logs to be unavailable for searching and depending on amount of logs will require resources to re-index them.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2024-02-12 04:09 AM
In response to Amir_Senn

What if someone back them up and then copy them over after upgrade? That should work, right?

Andy

0 Kudos
Amir_Senn
Employee
Employee
‎2024-02-12 04:39 AM
In response to the_rock

IDK, I think it will cause issues. FetchedFiles is what keeps check on what was indexes, if you overwrite it or leave it as it is now, it will create a mismatch. Not sure what will happen.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2024-02-12 05:31 AM
In response to Amir_Senn

Ah, gotcha, that makes sense.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events