I just tested the command, in the Active member of the ClusterXL HA, but I don't know exactly how the result should be interpreted.

I share the output of the command.

Leave it running for 2 mins or so to see if file size changes, meaning if it keeps increasing.

Andy

I have monitored it for more than 5min, and the file value "stays" at 8.2k, it does not increase.

Maybe for now, maybe there is no traffic going through the firewall, or maybe something got damaged.

I can only see the logs in the SmartConsole, as long as I open the "fw.log" file, if I don't open that file, I simply can't see anything, as if the MGMT is not "receiving" anything.

It's weird.

Ok, if value stays the same, it means fw is not logging locally. I would follow the sk's I sent then.

Andy

I don't see the SK solution as "clear".

Is it feasible to restart the processes in MGMT, with "cpstop;cpstart"?

I see that the logs are visible, but only if I open the "fw.log" file, but if I don't open that file, I simply don't see anything.

😕

Sorry bro, silly me, now I get it, so it appears that logging does work, its just the way you can open it from mgmt, got it. Yea, either do cpstop; cpstart on mgmt server or reboot it, no harm. It can be done any time.

Andy

I restarted the MGMT processes, and the logs started to appear without problems.

There is no longer any need to open the "fw.log" file in the SmartConsole, in order to view the logs.

Do you know which is the process in charge of the correct functioning of the logs in Check Point?

Cheers. 🙂

Yes sir, its fwd. You can refer to below, good references and how to debug it.

Good job btw!

Andy

https://support.checkpoint.com/results/sk/sk97638

https://support.checkpoint.com/results/sk/sk86321

Also, what @PhoneBoy said about lkog indexing sk is good to ensure.

Andy

In general if you can't see the logs but can open them manually this points to indexing issue.

No need to do cpstop ; cpstart , we can specifically reset only indexing service which is faster and you won't lose connectivity or anything. Use "stopIndexer ; startIndexer".

Processes also appears on "cpwd_admin list".

elg file located here: $INDEXERDIR/log/log_indexer.elg

You can also check $INDEXERDIR/data/FetchedFiles (which keeps track on what log file are indexed) but this might be harder to follow.

Hello,

This command "stopIndexer ; startIndexer" is useful and can be useful in situations where the logs in the SmartConsole are displayed with a delay of minutes?

For example you generate traffic now from 1 IP 10.120.302.59 to an FTP service, but the logs of this connection appear after a few minutes, and not in real time.

Can this command be useful to "solve" these cases?

Thanks for your comments.

Hey bro,

As response from @Amir_Senn indicated, its strictly related to logging issue, so easier to do than cpstop; cpstart, which restarts everything. Personally though, I always reboot the mgmt, no harm in doing so, as it does not affect any traffic.

Andy

If you have delays of minutes I believe it's more of a performance issue rather than indexer issues. I would follow CPU and memory consumption during times of delay in logs.

If indeed the consumption of CPU/memory is high restarting the indexer won't help but maybe I can recommend:

1. If you're using a VM I suggest increasing specs and see if this solves the issue.

2. If you're using an appliance or open server:

    a. If you're using your management server as your primary log server, I suggest considering moving to a distributed environment with dedicated log server to improve performance. You're needs might have grown over time to a scenario in which management and logs on the same server is stressing a single server too much. You can set up a log server VM on trail and see if this improve the situation for the time. If this is the case it could also improve other management services operations as well.

    b. Upgrading it to a stronger server or increase the resources of it (if possible) might solve the issue.