This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2018-12-13 04:06 AM
Jump to solution

Not able see the old logs (Without Log Indexing)

Dear Team,

Test on my Lab environment. 

OS: R80.20 


So is it working as is it ????

or is there any way we able to filter logs without enabling Log Indexing.

NOTE: On one of the customer environment also even Log Indexing is enabled we unable to see the yesterday logs or past logs when we filter the logs we see only Today Logs.

--> Even custom filter also not showing proper result its showing logs but one-day past logs (Like If I am select December 10 then It's showing 9 December logs ) 

 

#Chinmaya Naik

Labels
1 Solution

Accepted Solutions
Manoj_Kumar2
Contributor
‎2018-12-20 01:29 AM
In response to Chinmaya_Naik
Jump to solution

Hi Chinmaya,

It is true if we will disable the log indexing it stops correlating the logs and will behave as smart view tracker in R77.30.

Also the difference you are seeing in logs (i.e 1 day back logs as per filter) is due to the bug as I have faced this issue in R80.10 where timing were pulled back to 3-4 hours. CP has provided the custom fix for that as it depends upon the customer/ lab environment.

NOTE: On one of the customer environment also even Log Indexing is enabled we unable to see the yesterday logs or past logs when we filter the logs we see only Today Logs.

1. Could  you please let me know when you have enabled the log indexing? Is this the case you have enabled this today and you are expecting console will show you earlier/yesterday logs as well.

2. Have you removed any file relevant to logs? 

View solution in original post

9 Replies
KennyManrique
Advisor
‎2018-12-13 05:38 AM
Jump to solution

Hi Chinmaya,

This is the usual behavior for Logs & Monitor View.

When you don't have Log Indexing enabled; this view works by letting you open the log files present on $FWDIR/log in a similar way as SmartView Tracker works.

Once you enable Log Indexing; all the log files are indexed and your request shows to you the indexed results from all your log files instead the log itself.

For your foot note:

NOTE: On one of the customer environment also even Log Indexing is enabled we unable to see the yesterday logs or past logs when we filter the logs we see only Today Logs.

The most probable cause is that SmartLog only indexed the current fw.log file and nothing from x days on the past. There is plenty information about this like R80.x SmartLog/SmartEvent server doesn't index/show logs older than 1-14 days back , just look at Secure Knowledge Smiley Happy


Regards.

Chinmaya_Naik
Advisor
‎2018-12-13 07:31 AM
In response to KennyManrique
Jump to solution

Ok thanks  Kenny Manrique Smiley Happy 

 But what about below point.

--> Even custom filter also not showing proper result its showing logs but one-day past logs (Like If I am select December 10 then It's showing 9 December logs ) 

Can I disable and enable the Log Indexing and check the output or else need to reboot the MGMT server ??

Because we able to see the old logs using custom filter  like 14 day back that is fine BUT why it’s showing one day back logs  as I mention on above .

Thank you

#Chinmaya Naik

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 01:31 AM
Jump to solution

When logs are not indexed, the log viewer can only work with one log file at a time.

By default this is the current one, which will cover only the current day (starting at midnight).

Logs are rotated daily at midnight.

To search older logs in this case, the relevant log file must be opened manually.

Is there a specific reason log indexing is disabled?

We generally recommend it to be enabled.

0 Kudos
Chinmaya_Naik
Advisor
‎2018-12-14 02:06 AM
In response to PhoneBoy
Jump to solution

Ok Thank you Sir Smiley Happy

But if I am going to enable the Log Indexing also we not able to filter the yesterday logs, as on my LAB environment its working fine but on customer environment we unable to see the yesterday logs.

0 Kudos
Manoj_Kumar2
Contributor
‎2018-12-20 01:29 AM
In response to Chinmaya_Naik
Jump to solution

Hi Chinmaya,

It is true if we will disable the log indexing it stops correlating the logs and will behave as smart view tracker in R77.30.

Also the difference you are seeing in logs (i.e 1 day back logs as per filter) is due to the bug as I have faced this issue in R80.10 where timing were pulled back to 3-4 hours. CP has provided the custom fix for that as it depends upon the customer/ lab environment.

NOTE: On one of the customer environment also even Log Indexing is enabled we unable to see the yesterday logs or past logs when we filter the logs we see only Today Logs.

1. Could  you please let me know when you have enabled the log indexing? Is this the case you have enabled this today and you are expecting console will show you earlier/yesterday logs as well.

2. Have you removed any file relevant to logs? 

Chinmaya_Naik
Advisor
‎2018-12-20 01:55 AM
In response to Manoj_Kumar2
Jump to solution

Dear Manoj,

Thanks for the update.

Requesting you If possible can you please share me the custom hotfix so I can check on my LAB. (For Testing)

As per your question 1. Could you please let me know when you have enabled the log indexing? Is this the case you have enabled this today and you are expecting console will show you earlier/yesterday logs as well.

Ans: It's a live environment and log indexing is already enabled and still face an issue. 

 

2. Have you removed any file relevant to logs? 

Ans: No

CHINMAYA NAIK

0 Kudos
Manoj_Kumar2
Contributor
‎2018-12-20 02:05 AM
In response to Chinmaya_Naik
Jump to solution

Unfortunately I do not have custom hotfix and also that is specific to customer and for R80.10, above take_112

Did you stop/start the services of cma and logger? If no you can test this and check the status.

Thanks,

0 Kudos
Chinmaya_Naik
Advisor
‎2018-12-20 02:09 AM
In response to Manoj_Kumar2
Jump to solution

Ok, ManojSmiley Happy

We have also the same setup and we plane to restart the services.

Thanks 

0 Kudos
Sunny01
Explorer
‎2020-04-06 06:36 PM
Jump to solution

On R80.x, After rebooting the logging servers- we were not able to get the "All time"  logs in the Log and Monitor.

Steps taken to resolve it:

1. Checked the smart events in the "SmartEvent Settings & Policy" in the primary management server.

    a. Click on the system status from the bottom right of the Smart Event Console.
    b. Check for Errors showing up.
    c. If there is a (X) for Indexing logs, naviate to check the logs file mentioned in the description. 
        cd /opt/CPrt-R80.30/log_indexer/log
    d. Execute the following command to look for Indexing errors.
         tail -f log_indexer.elg        
         for example :- connection faliure with 127.0.0.1:8210 
    e. Verify the logging index process is running.
         ps auxw | grep log_indexer

2. Fw logswitch was executed on the primary management server. 
      fw logswitch creates a new Log File. The current Log File is closed and renamed.

This fixed the indexing issue as the new file started indexing as expected. 

 

 

 

 

     

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events