Hello Vladimir,

great, thanks a lot. This is what i had in mind as well.

And the "Logs & Monitor" section of the SmartConsole will then automatically Display logs from this dedicated Logserver, right? I want to disable logging on the Network Policy Management Server itself.

Fine, so this won't be very difficult

Cheers

Vincent

There is also the need to license this new deployment to make it work. I think you will have to contact your sales rep for a log server management container and attach the Logging Blade there (or let Account Services do that).

I think there is already a license for a secondary Management, so logging should be covered. Thanks

Very good, then you are licensed already and only have to deal with the tech side 😉

Cool. Licensing stuff is annoying

Quite right you are - but still, these licenses do pay my cost of living, so they can not be bad altogether 😉

Licensing stuff pays nothing for me. I just do professional Services 😉

I believe that the discovery of the log server(s) by SmartConsole is happening in the background and the management server you are connecting to is aware of distributed functionality by means of SIC. Therefore logging and monitoring should be directed to additional log servers, SmartEvent servers and Log Correlation Units.

Guenther, can you verify this supposition?

I would say that the Log Server(s), Smart Event Server and Log Correlation Units are defined in Dashboard. In SMS object, you see which GWs are currently logging to this SMS. Im GW object, you find the other options like local logging.

Should I also select this setting for my management server to send logs to my dedicated log server? Could this be why I am not seeing logs from just my SmartConsole when logged into the management server?

Currently no options for logging have been selected on our Management server.

Your dedicated log server should be defined as a target in all other Check Point components you want o log to it.

In case of the management server, this should forward the audit logs. Normal traffic logs should be sent from the gateways.

What is the target for the logs on your gateway(s)?

Target of our logs for the cluster and individual members are sending to our log server.

This is exactly what I wanted do be clarified.

Thank you very much Alejandro. *thumpsup*

And there will be just one log server. Ahe policy management server log server will be disabled.

I'd recommend leave the logging blade enabled if possible even though it won't be in use. Even if your firewalls aren't logging to it there are some logging activities written (policy install history, dashboard login/logouts) on the management server that are important. You also have the option to configure the gateways to log back to the management server in case the log server goes down by keeping the blade enabled. I do know that log indexing needs to stay on (sk119335). It wouldn't surprise me that it would be a requirement to keep the blade enabled on a management server but you'd have to look through admin guides to confirm. Just building my case here that I wouldn't disable the blade if possible, I've seen that "Log server is disconnected" error a million times (search support center) and I try not to tinker with what works:)

Good point, you're right. I think it will be best to let it enabled and configure the gateways to log to mgt in case of log server outage.

Thanks for pointing me to that.

I did the following setup for our environment, where we have two MDS in different datacenters. Logs are sent to both servers all the time. So in case of any outage/unavailability of the primary server we would have all logs on the secondary, but not only from the time when firewalls discovered that the main server is not reachable.

As it is R77.30 version, I enabled log indexing (SmartLog) only on the secondary server, to save some hardware resources on the primary. If I choose to open SmartLog from a drop-down menu at the top of SmartConsole it will connect me to the secondary server right away.

And I totally support you with the very good option for Vincent Bacher to leave logging blade enabled on the main management server, and use at as a backup option in case when the separate log server is unavailable.

We setup our environment like this when we migrated to R80.10. However when we try to view the logs from our management we get the error "Requested object not found". If I try to open a log file then errors with "Log server is disconnected". I know our log server is working properly because we are receiving logs and are able to view them with opening a second SmartConsole and login, but we would like to only have to log into a single SmartConsole instance. 

It looks like you’ve setup your second log server as a new management server. In this case, it will become its own CA and will require independent logon.

You should rerun first time installation wizard, configure Gaia as a management Secondary, create a Checkpoint Host object, select “log server” blade on it and configure communication SIC.

Thank you Vladimir. By rerunning the first time installation wizard will I still retain all stored logs?

I am not certain. Please backup the logs before proceeding and take a snapshot for good measure.

Make doubly sure that the server you are resetting is NOT actually managing any gateways.

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

I will do this definitely. Is there anyway that you know of how to validate that our log server was setup as new management server that would establish it as a CA?

Log into it with SmartConsole.

If you can define rulebases and network objects, then it's a management server.

Thank you Dameon. I do not have any options to add objects or define rulebases only access to the Logs & Monitors tab. Looks like our log server was setup correctly then. Now I am at a loss.

Alastair,

Please check if the Log Indexing is enabled on all of your log servers: