This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaloyan_Kirchev
Contributor
‎2019-07-16 01:05 AM

SmartEvent not showing accurate info

Hello Guys,

My Company has old CP 4800 with R77.30 which we are using for Security Checkups.

I have been doing this like 3,4 times but this it get....."stuck".

First I want to mention that I went through almost all articles last couple of days and did many troubleshooting steps but without any success.

So, last time when appliance was at client site 'gathering' network info it get very hot. This is because it was with 4GB of ram, so CPU was all the time like 98% utilization and same for the RAM.

Now, since yesterday(I was waiting weeks for delivery) it has 8GB of RAM.

So, my problem is that I had 8gb of log files but SmartEvent is showing 256MB for the last 2 weeks.

This is very strange. Bellow you can find some screenshots from:

1. #cpstat cpsead - seems ok but the number of analyzed logs still growing

cpsead.JPG

2. Number of logs:

smartlog.JPG

3. Lately SmartEvent crashes but report is empty - 0 in size

smrtevent.JPG

4. SmartReported DB - no logs/sec, status - processing

consolid.JPG

EVERY help will be highly appreciated!

I want to thank in advance for those who ever make an effort to read 🙂

P.S.: I do not want to update at that moment - just want to keep raw data logs which are VERY IMPORTANT.

If you have suggestion to how to do a clean/fresh/good install or refresh of the appliance saving the logs - will be perfect.

P.S.2: I have logs through WinSCP at my PC.

Have a nice day!

Greetings K.Kirchev!

 

 

7 Replies
-TJ-
Participant
‎2019-07-16 11:18 AM

It's not so much RAM as it is I/O.   If you're digging into your swap space, add RAM. 

Run the "top" command and check on the "0.0%wa".    If it's a big number, which is waiting for disk to become available,  you'll need to get off spinning disk and onto flash.

Then look into I would look into sk98757 

My SmartEvent server used to get stuck in a similar way.   It would show it was analyzing, but per the smartlog_server.elg, it wasn't proceeding to the next logs.   gets sort of stuck perpetually analyzing a particular log.   Once we essentially skip that one log file, it will become stuck another within minutes.   skip...stuck...skip.   It can take a while.    like a child learning to ride a bike... eventually it no longer needs my help.   It's DOING IT!! Look!

I've lost a few different days to this process.    There is also sk112336 which references a hotfix.   In reality, there isn't one.   Unless a support engineer blowing away $RTDIR/smartlog/data/FetchedFiles could be considered a hotfix.  

 

 

Kaloyan_Kirchev
Contributor
‎2019-07-17 12:52 AM
In response to -TJ-

Hello Thad,

thanks for the answer - obviously this is the situation but......

None of the fixes worked. In fact first is to "unindex" logs in SmartLog, second is to "index" them - mark complete(or maybe opossite). However now situation is the same, moreover I cannot open SmartEvent and there is an error in SmartMonitor:

smrtevent_monitor.JPG

Though logs analyzed still increasing.

Any other ideas?

 

Kaloyan_Kirchev
Contributor
‎2019-07-18 03:19 AM
In response to Kaloyan_Kirchev

Hi,

after having deep dive and look carefully I found this is the solution: sk105185.

Any idea about hotfix for this? Or should contact CP support?

Regards, K.Kirchev!

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-18 07:23 PM
In response to Kaloyan_Kirchev

If a hotfix is referred to, get TAC involved.
That said, you definitely want more RAM in that box.
Kaloyan_Kirchev
Contributor
‎2019-07-18 11:34 PM
In response to PhoneBoy

Hi guys,

everything is wrong with this device.

SmartEvent keep showing me same amount of data, which is totally wrong!

apps.JPG

I have tried every troubleshooting step. Yesterday I updated appliance with hotfix.

Today even deleted eventia DB. No idea what to do next.

Also I Re-enabled SmartEvent Consolidation - DB started to learn new events but now again it....stuck!

1. Upgraded to 8 GB of RAM.

2. Refereed to this sk105185 than sk106162.

3. Done couple of Offline jobs in SmartEvent and even they did not show any events.

I am doing this whole week.

PLEASE give any ideas? Could I upgrade it to R80.10 directly or somehow flush SmartEvent info or....I do not know.

Thank you very much to all of who responded!

Have a nice day!

Kaloyan_Kirchev
Contributor
‎2019-07-21 11:30 PM
In response to Kaloyan_Kirchev

Hello Guys,

First I want to thank to all of you who read and responded so quickly.

Second - I finally got solution to this THANKS to Andrei Popisteru(Checkpoint).

In 3 easy and simple steps:

1. Export logs from R77.30

2. Import them in R80.30(VM, where SmartEvent was installed)

3. Reindex them and made reports

That's it.

Regards!

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top