Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dan_Lynch
Participant

Tracker vs SmartConsole Logs and Monitor view

The thread in which we detail the ways SmartConsole's integrated SmartView log viewer could be improved by comparing it with features that were lost when Tracker was deprecated. Please add your own, or offer workarounds for missing features.

- Custom queries saved in Tracker include active columns, column width and placement, name/service resolution settings. SmartView does not.

- Resolve IP and Resolve Service can be enabled separately in Tracker, but not in SmartView.

- In Tracker with resolve disabled, hover over an IP or service resolves the entry. SmartView does not, unless the column-width is set too narrow to view an entire IP address or service field, only then it will resolve on hover-over.

- Using more than about three filters in SmartView causes the filters to fail unpredictably.

- Tracker can scroll to the beginning or end of a view ("Go to top" and "Go to bottom" arrow buttons). In SmartView you must manually scroll down as new events are loaded and you may never find the end.

- Keyboard Home, ctrl-Home, End and ctrl-End works in Tracker to scroll to the top or bottom of a page or filtered view. SmartView doesn't respond to those keys.

- Switching to any other Console tab (e.g., Security Policies, etc.) then back to Logs and Monitor causes the view to reset to the top, rather than keeping your place in the log view. (This can be resolved only by undocking the log view.)

- Tracker's "Get number of filtered records" is gone.

- The bottom and side panes are always open by default. I never use them so always just want them out of the way.

- Maybe this is out of scope (it's more SmartCenter server - or whatever that's called in this product rev - rather than log viewer utility), but the ability to manually configure when your logs roll was nice. Now it's daily at midnight and the system ignores any other log rotation setting you give it.

- Probably also out of scope, but Tracker with a day's log files open = 135MB RAM; SmartConsole = 1GB or more, depending on the number of views opened.

13 Replies
PhoneBoy
Admin
Admin

Some of this is planned to be addressed in later releases.

Some of this also comes from the fact that SmartView Tracker only opened ONE log file, whereas SmartConsole R80.x looks across many log files and scrolling to the bottom might be...quite a ways down.

Using more than about three filters in SmartView causes the filters to fail unpredictably.

If you can reproduce this consistently, please open a TAC case.

Maybe this is out of scope (it's more SmartCenter server - or whatever that's called in this product rev - rather than log viewer utility), but the ability to manually configure when your logs roll was nice. Now it's daily at midnight and the system ignores any other log rotation setting you give it.

I thought you could set it rotate more frequently than once a day, but you are correct in the sense that it will always rotate at midnight.

In any case, we appreciate the feedback.

It's possible the R&D folks who will see this will have some questions related to your feedback.

0 Kudos
Dan_Lynch
Participant

More:

- While you can hide a column easily in SmartView, you can't add a column to your view without saving a new profile. I now have 8 profiles named adhoc[1-8] that I've used once.

- Some columns aren't searchable at all (i.e., "Message" for example), even though right-click offers "Add to filter".

- Some columns that *are* searchable don't allow you to enter a field filter unless you find an entry with a value in that field, otherwise right-click the column head and "Add filter" is grayed out

- In Tracker you could filter a column on "Non-empty values", but that function is gone in SmartView.

- Right-click "Report log to Checkpoint" is broken intermittently, even after hotfix from sk122217 is installed

- Maybe more a SmartEvent issue than SmartView, but file emulation reports can't be saved as PDF anymore at all, and HTML saves lose formatting/elements so can't be used for submitting false positives (the team that handles that rejects them)

Graham_Elwood2
Explorer

Any further news on this.  I really miss the ability to scroll up and down the logs - if that is never coming back, can something at least be written to jump to top and jump to bottom ?

Any updates arriving not mentioned here ?

When is the next update to smatlog coming ?

Many Thanks

0 Kudos
PhoneBoy
Admin
Admin

SmartView Tracker only worked with one log at a time, and as such jumping to the top and/or bottom makes some sort of sense.

SmartLog works with all the logs at once.

In that context, the top still makes sense (most current logs), but what would the bottom be?

Understanding the "why" behind this request is helpful as well.

Note that we make updates to log viewing with every management release.

SmartView (https://management-ip/smartview), which got a significant upgrade in R80.20.M1, is what is ultimately going to replace the Logs and Reporting part of SmartConsole.

0 Kudos
Dan_Lynch
Participant

>> SmartLog works with all the logs at once.

All the logs that currently exist with indexes on the management server, that is. Unless you have infinite storage space, that's a finite amount of logs with a beginning and an end.

>> what would the bottom be?

Storage considerations force me to delete logs and their indexes over 90 days old. The bottom then is the last log <90 days old.

>> Understanding the "why" behind this request is helpful as well.

When I note a pattern of unusual traffic one of the first questions I ask is "when did this start"? That was a pain to answer in Tracker, but it's impossible now.

0 Kudos
Graham_Elwood2
Explorer

Ok, lets try and put it a different way.

Is it possible to provide the logs just in the old format - access logs only.  Disregard others (no idea if they all so intertwined now).  You then have a Beginning and end point, as Dan says above (and I had the very issue earlier today), some traffic happened, no one is sure when, they know it happened to "source ip" I pop in some educated guess of dates, which may or may not have the information I'm looking for it was great to take the "slide bar" and traverse from the top of the resultant logs to 50% way through it, or 75% or 10% to see if the logs were happening.  The speed which it could do this was the useful thing, plus you had some idea of a start and an end point. 

There is no slide bar that is usable, as there is no "end" so all you can do is scroll up or down to the next page, that takes a fairly long time just to get to the next page.  

So I can provide a "start/end date, but I still don't know if what traffic I'm looking for is in it, all the info i might have is source ip and a general "it maybe stopped working last month or maybe 6 months ago".  I had to mess about putting different dates in to try and find it - tedious as you then have to scroll down page by page (slowly) to see if the traffic is there and you give up after scrolling through a few pages and not finding any results.  Move on to the next period of dates and rinse repeat.

If that is possible in the new logging mechanism, in and easy, quick way please advise as I'm missing something if it is.

If it's not is there someway of providing the logs in the old format, or do I just have to remember to drag out r80.10 smart tracker and hope that works - only just remembered that still existed - maybe that will still work as I'd hoped above, but I guess support for tracker will die soon ?

Anyways so not to be totally negative, I like R80.10 a lot it has some great features, object search and jumping to rules from logs works a treat - just a little bit of logging isn't one of them Smiley Happy

Keep up the good work.

0 Kudos
PhoneBoy
Admin
Admin

All blade logs are intertwined, always have been.

SmartView Tracker is still there, as you noted.

I am curious, do you have the same experience in SmartView versus using Logs and Reporting in SmartConsole?

0 Kudos
Graham_Elwood2
Explorer

Apologise if I sound obtuse, just trying to verbalise something that I just did without thinking.

If smartview Tracker can pull the info and display it - why can't smart console ?

I have been using "smart view" since the old days when it was called what it was "log viewer" , checkpoint 4.1 so yes I've become accustomed to the way it worked, specifically how you could scroll though 14 million logs in 3 seconds (I mean drag the scroll down from top to bottom) still had to wait for the database to catch up, but as far as I've seen not able to do a quick scroll through a massive amount of logs just to look for something that might or might not be there, and your not sure what it is your looking for.  Vague yes, 100% succesful no, but it used to be worth a try.  Now just don't do it and I've only found a way to find some issue in a large amount of logs is manually reduce the times and see if you can see it (given up just scanning through logs).

And there is some great stuff in smart console logging, the free text search, the search for a "src:" is sometimes far easier/faster than locating it in logs.  It works great with showing rules of line your viewing. the time options are great a quick look previous hour or previous week is handy.

As I say if I've missed something obvious (no training on R80.10, just dropped into it) and there is a way to do it or similar without resorting to tracker if someone can educate me I'd love it.  I know we aren't ever going back to tracker, but it would be nice if we could have a "tracker view".

So new stuff isn't a negative, but sometimes part of the old stuff worked great for certain things.

Thanks

0 Kudos
PhoneBoy
Admin
Admin

SmartLog/SmartView has no ability to view a single log file the same way SmartView Tracker can, which I think is the fundamental issue here. 

SmartView is actually web-based and may perform differently, which is why I explicitly asked about it: https://management-ip/smartview

0 Kudos
Graham_Elwood2
Explorer

That last one and this one was actually to Dameon, haven't got the hang of these forums yet Smiley Happy

0 Kudos
Graham_Elwood2
Explorer

PS I had to go back and look up old nokia equipment IP numbers, oh the days Smiley Happy

0 Kudos
Robin_H
Contributor

Hi!

This was the first discussion I found regarding SmartConsole Logs. Two years old, anybody still reading this?

Unfortunately most mentioned issues haven´t change since then.

My main issues with SmartConsole Logs viewer:
- I open it, the inital search results come up and I have to manually switch to my preferred columns profile (using a favorite query).
- When I look at the search results and want to scroll down, I click to the lower area of the vertical scroll bar. Next thing happening is the Logs starts to scroll down several pages, loading additional results and I have to manually scroll back up.

Other issue (has been mentioned):
Bottom area with "URLS/Files" always shows up, side area with "Tops/Log Servers" always shows up.
I mainly do firewall rule trouble-shooting, first thing I do is minimizing those two.

SmartView Tracker opens in a different window by default, Logs has to be undocked manually every time. Would be great if there´s an option to undock by default.

(all conducted in SmartConsole Build 114 in an R80.20 environment)

 

Regarding the web-based Smartview (on a R80.20 Smart-1 appliance):
I can´t say much about the usage as the most rudimentary feature is missing for me:
No columns for xlate NAT and VPN of any kind (yes, these things are shown in the individual log entry. But to see a behavioral pattern, a column view is much preferred!)
Other than that: also no favorite columns profile set by default.

One good thing: The Statistics pane on the left side can come in handy if one searches for odd traffic!

 

Any news and further development on these things are much appreciated!

0 Kudos
Amir_Senn
Employee
Employee

Hey @Robin_H  , I hope I can help you with some of your issue.

-Automatic column profile changes the columns depending on which blade has the most logs in the initial query. For changing column profile try right click on the head of column -> choose any manual column profile. This will be set for this specific logs tab so unless you close it and open another it will remain.

-Logs view load 50 logs at a time and start to load logs when you reach the bottom of the current list. I don't know what causes the issue for you but you can try the other logs view we have that is accessible via https://<Mgmt/Log_Server_IP>/smartview

The web log viewer also doesn't have the URL tab and docked logs.

If you have missing column profiles you can add them manually by (in web log viewer) Right click head of column -> Profile editor. Put whichever fields you need and save it.

Favorite queries will come soon. We're working on it along with other features for the web logs viewer.

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events