This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2021-12-20 06:06 AM

Unable to see any log files from dashboard after upgrading management to R81

Hey guys,

Hope someone can give feedback on this. I helped customer upgrade their mgmt server from R80.10 -> R80.40 -> R81, but ever since then, we cant see any logs at all if we try to open a log file via "logs and settings". Now, if you open old school smartview tracker, all log files are showing there just fine.

I also tested this in my R81.10 freshly installed lab (mgmt and 2 gateways on same version) and have exact same problem. I read below post, but not clear to me if this indeed is a limitation or if it can be fixed? Now, just to be clear, logs are being sent from their cluster to mgmt, no issues, and they do rotate at midnight as expected, we just cant see any log files. Logs themselves do show up when you pop up new log tab in dashboard,

Solved: Cannot view previous logs after upgrade to R81 - Check Point CheckMates

I attached the screenshot as well.

Thanks as always for any input/feedback.

Preview file
85 KB
16 Replies
Amir_Senn
Employee
Employee
‎2021-12-20 06:53 AM

Hey,

I saw you kudoed my response to a similar issue, did you try the solutions in it?

"

2) Make sure to use the install database command on all the servers post upgrade.

3) If the other stuff won't help, please try to restart the indexer on your servers with " stopIndexer ; startIndexer "

"

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2021-12-20 06:55 AM
In response to Amir_Senn

Hey @Amir_Senn ...yes, tried it, but no luck. Did cpstop/start, rebooted, installed database, also tried below, no luck. I dont know if this is expected, but its just odd if it is.

# stopIndexer

# rm /opt/CPrt-R81.10/log_indexer/data/FetchedFiles

# rm -r /opt/CPrt-R81.10/log_indexer/data/CpmiLocalCopy

# startIndexer

0 Kudos
Amir_Senn
Employee
Employee
‎2021-12-20 07:12 AM
In response to the_rock

Do you happen to have NAT configuration on any of those servers?

This doesn't reproduce in my lab. I suggest to contact TAC for support.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2021-12-20 07:15 AM
In response to Amir_Senn

No NAT at all...my lab, mgmt and both gateways are on exact same subnet. I opened TAC case last week, but so far, no useful advice at all. I think they escalated it to Tier 3 Friday, so will see whats suggested next. But, my question is this...is it EXPECTED behavior?

0 Kudos
Amir_Senn
Employee
Employee
‎2021-12-20 07:30 AM
In response to the_rock

You should be able to see the log files, this is not expected.

IMO the log file query fails for some reason so it doesn't bring results. Unclear what causes this.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2021-12-20 07:30 AM
In response to Amir_Senn

Btw, also followed this in my lab, so will give it 24 hours to see if it does anything...though when I did it for customer, it made absolutely no difference.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Amir_Senn
Employee
Employee
‎2021-12-20 07:41 AM
In response to the_rock

This is expected if upgrading from R80.xx to R81 since SOLR version had changed between versions but logs that arrive after the upgrade are indexed with the new SOLR and should appear.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2021-12-20 07:43 AM
In response to Amir_Senn

Thats the problem, my friend : - ). I know us IT people always use that word "should", lots of stuff should work, but it does NOT. I even checked 5 days after upgrade, not single log file shows in R81 dashboard, but they do in tracker. I have exact same bahavior, though I never upgraded.

0 Kudos
Ruan_Kotze
Advisor
‎2021-12-20 09:22 AM

Any chance sk175223 is applicable?  Ran into this issue with several upgrades already.

Thanks,
Ruan

0 Kudos
the_rock
Legend
Legend
‎2021-12-20 09:26 AM
In response to Ruan_Kotze

Good try, but sadly, not applicable. Funny enough, customer had that exact problem initially after upgrade, so we fixed it by running the sk you sent, but that unfortunately does not fix the old logs not showing issue.

Cheers,

Andy

0 Kudos
LOcfemia
Participant
‎2021-12-20 09:20 PM
In response to the_rock

Hi, are you using Portable SmartConsole? We had this problem after upgrading from R80.20 to R80.40 and fixed it by installing SmartConsole.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2021-12-20 10:32 PM

As you are running on R81.10, you SHOULD ( 🙂 ) have always up-to-date SmartConsole, as starting from R81.10 there is automatic update of the latest build... But anyway, lets check if you have installed the latest build of R81.10 SmartConsole. Maybe try also portable version, just in case.

In addition, did you check logs in SmartView (https://mgmt-IP/smartview) ? Do you see logs there?

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
‎2021-12-21 06:13 AM
In response to JozkoMrkvicka

Thanks to everyone who responded, but no luck...TAC asked me to run cpm doctor (why, I have NO CLUE, as it makes no logical sense to me, since there are never issues with any process or database at all). I am using latest 402 build of R81.10 dashboard and I also tried portable version, same issue. If I disable indexing and install database, I ONLY see latest fw log, but no other logs, but yet they show just fine in smartview tracker.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2021-12-22 04:15 AM
In response to the_rock

Please let us know the resolution once TAC will find the root cause of this strange issue.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
‎2021-12-22 11:50 AM
In response to JozkoMrkvicka

I will definitely update. Lady from TAC sent me below steps, but I already knew it wont do much, as issue is that raw logs cant be seen in R81 console, not indexing problem.

1. On the Mgmt server run: # cpstop

2. Remove all old files:
# rm -r $RTDIR/log_indexes/other*
# rm -r $RTDIR/log_indexes/audit*
# rm -r $RTDIR/log_indexes/firewallandvpn*
# rm -r $RTDIR/log_indexes/smartevent                                                            
# rm $INDEXERDIR/data/FetchedFiles

3. After all of the files are removed, run: # cpstart

0 Kudos
the_rock
Legend
Legend
‎2022-01-04 04:47 PM
In response to JozkoMrkvicka

Appears this is the solution...I am just waiting for TAC to confirm which files exactly am I supposed to get rid off.

Andy

Able to view and open log files from legacy SmartView Tracker, but unable to view log files from Sma...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events