Hello,

Since the $EXPORTERDIR wasn't defined at the time of deployment, the exporter was deployed to /opt/CPrt-R80/log_indexer/targets/ (you can see the location in the show status output).

Now that the $EXPORTERDIR variable is defined it's looking for it (and trying to delete it) in the 'correct' location.

That's why I said you might have to manually delete it and then redeploy it.

I would use 'rm -r /opt/CPrt-R80/log_indexer/targets/*'  (as with any other time that you use rm with a wild card, I would advise to exercise caution and make sure you are deleting the right location/content and nothing else).

I think we could have and should have handled this scenario better. This sort of mixup and confusion is why this should have been blocked in my opinion (I already have an open RFE to block deployment in case the $EXPORTERDIR variable is not defined).

Edit: Just noticed that the command should be: cp_log_export delete name XXXX  (you're missing the name parameter)

HTH 

 Yonatan 

Hey Yonatan, thank you so much. it worked for me.

Even though adding the corrected parameter(name) didn't help, but removing the target directory and recreating it helped for me.

Hello Hugo,

I saw your post on regarding the R80.20 M1 release.

I have to admit I wasn't aware of any issue with the ports and I've asked the relevant person to look into it.

I'm not familiar with any planned change to the log exporter ports in R80.20.

Nor am I familiar with any new issue with the Log Exporter on R80.20.

If you are aware of any specific issue with the Log Exporter on R80.20 M1 please send me an email with details to (edited as we are already GA for R80.20)

Thanks!

 Yonatan 

Each log exporter can consume up to 1 CPU when exporting in full capacity.

I installed a log exporter on a fairly busy log server.  The log_exporter process immediately jumped to ~100% cpu (1 core).  Does this mean I need to install multiple log_exporter processes?  If so, how do I do that? 

Are there any troubleshooting commands I can use to see if the log_exporter process is not able to send all logs to the syslog server?

You don't really need to do any troubleshooting just yet - a CPU spike is expected after enabling the process for the first time.

The process will export all logs going back (by default) 1 day and will start exporting them at the maximum possible rate until it empties the queue, at which point it will go into the 'steady state' of exporting logs as they arrive.
This is the expected behavior. If the process goes down for any reason it will not lose any logs as we save a record of which logs were exported, and any that were not will be exported as soon as the process is back up and running. 

Depending on how many logs you generate per day this can take anywhere from a few seconds to a few hours.

From the screenshot, it looks like the process has been running for 4 hours already which leads me to believe you probably generate a large number of logs per day.

If the process is still at 100% CPU after a few more hours I would check the elg file to see what is the current, average and total amount of logs exported (the 'cp_log_export status' command will also give you the path to the elg file).

If the CPU load persists for more than a day, this might be an indication of a problem and you should investigate further and/or open a support ticket.

HTH 

 Yonatan 

Thank you very much for your quick reply!  Yes, after a few hours, things seem to have calmed down, and the process is ~ 15%.  Thanks for the explanation!

cp_log_export show

name: syslog-prova
     enabled: true
     target-server: 172.22.223.71
     target-port: 514
     protocol: udp
     format: syslog

Logs from Gaia to the same server instead work as expected.

meteoam-center2> show syslog all
Syslog Parameters:
    Remote Address 172.22.223.71
        Levels info
    Auditlog permanent

Your output actually indicates that everything is working as expected and that you have already exported ~2.5M logs at an average rate of 1.6K logs/sec:

[log_indexer 24439 4007656336]@meteoam-center2[5 Nov 16:25:25] Files read rate [log] : Current=49 Avg=1638 MinAvg=54 Total=2492708 buffers (0/0/0/0)

You have also exported 12 audit logs (I'm assuming this was the value that confused you - the elg has information for both fw.log and fw.adtlog):

[log_indexer 24439 3872390032]@meteoam-center2[5 Nov 16:25:24] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=12 buffers (0/0/0/0)

A useful debugging tool is the following command:

# tcpdump port 514 -s0 -A

[Expert@MDS-72:0]# tcpdump port 3010 -s0 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:50:58.754248 IP MDS-72.61205 > 192.168.32.76.gw: P 1:297(296) ack 1 win 6 <nop,nop,timestamp 158701155 620400757>E..\..@.@..... H.. L......{.MJ......"N.....u.c$..uCEF:0|Check Point|Security Gateway/Management|Check Point|Log|Log|Unknown|deviceDirection=0 msg=Contracts outcome=Started rt=1541504854000 loguid={0x5be18022,0x0,0x4820a8c0,0x3d1779fc} origin=192.168.32.72 sequencenum=1 version=5 product=Security Gateway/Management update_service=1 version=1.0

13:50:58.754322 IP MDS-72.61205 > 192.168.32.76.gw: . 297:1745(1448) ack 1 win 6 <nop,nop,timestamp 158701155 620400757>E.....@.@..X.. H.. L......|.MJ.......3.....u.c$..uCEF:0|Check Point|Security Gateway/Management|Check Point|Log|Log|Medium|cp_severity=Medium deviceDirection=0 msg=Contracts outcome=Failed rt=1541504854000 loguid={0x5be18022,0x1,0x4820a8c0,0x3d1779fc} origin=192.168.32.72 sequencenum=2 version=5 failure_impact=Contracts may be out-of-date product=Security Gateway/Management reason=Server replied with no results. update_service=1 version=1.0

This will allow you to see the actual logs in real time as they are being exported.

If you are also sending OS logs or sending logs using other methods on the relevant port you might want to add more filters to the tcpdump command.

HTH 

 Yonatan 

Hi i am trying to change the format from syslog to generic 

i have tried the below

what am i missing ?

any help appreciated

[Expert@gw-920ce3:0]# cp_log_export set format generic
Error: Missing mandatory argument <name> for command set

[Expert@gw-920ce3:0]# cp_log_export delete syslogser --apply-now
Error: Argument [syslogser] is undefined for command: [delete]

Thank you that worked very appreciated

Log Exporter should be independent of HFAs

Hello,

I just recognized that after enabling Log Exporter on R80.10 management the feature started to export the logs of the past one day. After this has been completed, actual logs are exported as expected.

The problem is that the /opt/CPrt-R80/log_exporter/targets/SIEM/log/log_indexer.elg file is continuoulsy growing at about a 500-600bytes/5s pace under "normal" circumstances (=no error messages just info about the normal operation of Log Exporter) when the logs are exported.

You can see an example screenshot of the logs below.

First question: this growth consumes disk capacity under /opt (/dev/mapper/vg_splat-lv_current). Will this log_indexer.elg file deleted or archived somehow automatically or do I have to do it manually?

Second question: what does the message containing "SyslogTCPSender::shouldRetry: Socket: [14] was write-blocked" mean? Is it an error or..?

Thank you in advance!

That is the current design.

1. As all debug logs, it allows only 10 of these & then the oldest one is deleted, so no worries about disk-space.

2. This message is okay, it's meant for internal debugging purposes.