Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

Unable to see any log files from dashboard after upgrading management to R81

Hey guys,

Hope someone can give feedback on this. I helped customer upgrade their mgmt server from R80.10 -> R80.40 -> R81, but ever since then, we cant see any logs at all if we try to open a log file via "logs and settings". Now, if you open old school smartview tracker, all log files are showing there just fine.

I also tested this in my R81.10 freshly installed lab (mgmt and 2 gateways on same version) and have exact same problem. I read below post, but not clear to me if this indeed is a limitation or if it can be fixed? Now, just to be clear, logs are being sent from their cluster to mgmt, no issues, and they do rotate at midnight as expected, we just cant see any log files. Logs themselves do show up when you pop up new log tab in dashboard,

Solved: Cannot view previous logs after upgrade to R81 - Check Point CheckMates

I attached the screenshot as well.

Thanks as always for any input/feedback.

16 Replies
Amir_Senn
Employee
Employee

Hey,

I saw you kudoed my response to a similar issue, did you try the solutions in it?

"

2) Make sure to use the install database command on all the servers post upgrade.

3) If the other stuff won't help, please try to restart the indexer on your servers with " stopIndexer ; startIndexer "

"

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

Hey @Amir_Senn ...yes, tried it, but no luck. Did cpstop/start, rebooted, installed database, also tried below, no luck. I dont know if this is expected, but its just odd if it is.

# stopIndexer

# rm /opt/CPrt-R81.10/log_indexer/data/FetchedFiles

# rm -r /opt/CPrt-R81.10/log_indexer/data/CpmiLocalCopy

# startIndexer

0 Kudos
Amir_Senn
Employee
Employee

Do you happen to have NAT configuration on any of those servers?

This doesn't reproduce in my lab. I suggest to contact TAC for support.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

No NAT at all...my lab, mgmt and both gateways are on exact same subnet. I opened TAC case last week, but so far, no useful advice at all. I think they escalated it to Tier 3 Friday, so will see whats suggested next. But, my question is this...is it EXPECTED behavior?

0 Kudos
Amir_Senn
Employee
Employee

You should be able to see the log files, this is not expected.

IMO the log file query fails for some reason so it doesn't bring results. Unclear what causes this.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

Btw, also followed this in my lab, so will give it 24 hours to see if it does anything...though when I did it for customer, it made absolutely no difference.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Amir_Senn
Employee
Employee

This is expected if upgrading from R80.xx to R81 since SOLR version had changed between versions but logs that arrive after the upgrade are indexed with the new SOLR and should appear.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

Thats the problem, my friend : - ). I know us IT people always use that word "should", lots of stuff should work, but it does NOT. I even checked 5 days after upgrade, not single log file shows in R81 dashboard, but they do in tracker. I have exact same bahavior, though I never upgraded.

0 Kudos
Ruan_Kotze
Advisor

Any chance sk175223 is applicable?  Ran into this issue with several upgrades already.

Thanks,
Ruan

0 Kudos
the_rock
Legend
Legend

Good try, but sadly, not applicable. Funny enough, customer had that exact problem initially after upgrade, so we fixed it by running the sk you sent, but that unfortunately does not fix the old logs not showing issue.

Cheers,

Andy

0 Kudos
LOcfemia
Participant

Hi, are you using Portable SmartConsole? We had this problem after upgrading from R80.20 to R80.40 and fixed it by installing SmartConsole.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

As you are running on R81.10, you SHOULD ( 🙂 ) have always up-to-date SmartConsole, as starting from R81.10 there is automatic update of the latest build... But anyway, lets check if you have installed the latest build of R81.10 SmartConsole. Maybe try also portable version, just in case.

In addition, did you check logs in SmartView (https://mgmt-IP/smartview) ? Do you see logs there?

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend

Thanks to everyone who responded, but no luck...TAC asked me to run cpm doctor (why, I have NO CLUE, as it makes no logical sense to me, since there are never issues with any process or database at all). I am using latest 402 build of R81.10 dashboard and I also tried portable version, same issue. If I disable indexing and install database, I ONLY see latest fw log, but no other logs, but yet they show just fine in smartview tracker.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Please let us know the resolution once TAC will find the root cause of this strange issue.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend

I will definitely update. Lady from TAC sent me below steps, but I already knew it wont do much, as issue is that raw logs cant be seen in R81 console, not indexing problem.

1. On the Mgmt server run: # cpstop

2. Remove all old files:
# rm -r $RTDIR/log_indexes/other*
# rm -r $RTDIR/log_indexes/audit*
# rm -r $RTDIR/log_indexes/firewallandvpn*
# rm -r $RTDIR/log_indexes/smartevent                                                            
# rm $INDEXERDIR/data/FetchedFiles

3. After all of the files are removed, run: # cpstart

0 Kudos
the_rock
Legend
Legend

Appears this is the solution...I am just waiting for TAC to confirm which files exactly am I supposed to get rid off.

Andy

Able to view and open log files from legacy SmartView Tracker, but unable to view log files from Sma...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events