Smart-1 600-S server acting as main log server

Joe_Kanaszka

Morning all!

Running R81.20 Take 53

2 node active/standby cluster

SmartEvent (log server) running on a Smart-1 600-S appliance

Management server is running in a VM (backup log server)

2 questions.

I've recently been looking at my log settings as I'm seeing a pop-up in SmartConsole that my /opt partition is under 2GBs. I don't know where this alert is referring to as I've checked my disks using df -h and also looked at the system information information in SmartView Monitor...
If I look at $FWDIR/log on both of my security gateways, I'm seeing a ton of logs like this:

Aug 2 23:59 2024-08-03_235900.logaccount_ptr
Aug 2 23:59 2024-08-03_235900.loginitial_ptr

Why are these logs being stored here and ALSO on my log server?

Thanks guys

Here are some additional issues I may have found:

I've looked in the R81.20 admin guide for configuring logging and found this article - but I do not see the options it is describing:

Also It does not appear I'm forwarding the logs from my gateways even though I'm seeing the logs on my two log servers...

Amir_Senn

Hi,

1. Would check on both SMS and on log server/SmartEvent

2. You might have local logging at time. This could be caused of servers are not available, connectivity issues, heavy load of logs etc. To solve this, I would go to all gateways/clusters objects you have, go to Logs -> Additional Logging , in there activate log forwarding to your log server and select a time for this. This should take care of this.

Kind regards, Amir Senn

Joe_Kanaszka

Thank you Amir.! Please do me a favor a take a look at my screenshots above. In the second screenshot it says "Send a copy..."

So does this mean that the logs are stored on the security servers and the log server?

the_rock

Hey brother, thats exactly what it means, yup.

Andy

Joe_Kanaszka

Thanks Andy! So what's the point of having a log server if the logs are going to be stored on the gateway anyway?

Sorry - here's the screenshot I was referring to from my cluster object:

the_rock

Hey Joe,

So one way to be 100% positive fw is NOT logging locally is below command.

watch -d ls -lh $FWDIR/log/fw.log (ctrl+c to stop)

Leave it for 30 seconds or minute or so, if it stays at 8.2K, that without any doubt proves its NOT logging locally, but to the log server.

Andy

Joe_Kanaszka

Thanks Andy - my fw.log file on my security GW is at 8.3K. (I didn't stop using the command)

Why do I have all these old .log, .logaccount_ptr, and loginitial_ptr files on my security GWs?

Aug 25 23:59 2024-08-25_235900.log

Aug 24 23:59 2024-08-25_235900.logaccount_ptr

Aug 24 23:59 2024-08-25_235900.loginitial_ptr

the_rock

Is it in same dir? $FWDIR/log?

Joe_Kanaszka

Yes.

/opt/CPsuite-R81.20/fw1/log

the_rock

I have bunch of those as well. But, my fw.log file ALWAYS shows 8.2 K, which tells me 100% its NOT logging locally, otherwise, that file would be growing rapidly.

Andy

Are you a member of CheckMates?

Smart-1 600-S server acting as main log server