This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
drmusin
Explorer
‎2025-06-24 07:50 AM
Jump to solution

Unable to view historical Audit Logs after migration from R80.40 to R81.20

After upgrading the Security Management Server (SMS) from R80.40 to R81.20, I proceeded with upgrading the Log Management Server (LMS) to the same version. The LMS upgrade was completed successfully, including the physical transfer of all audit log files (adtlog) to the new server.

All actions were performed in accordance with the official SK documents: sk107459 and sk111766. However, after the migration, issues arose when attempting to view historical logs via SmartConsole.

I require access to audit logs covering the past four years. When attempting to increase the log indexing retention period to accommodate this range, the system becomes unstable:

  • The SOLR service crashes;

  • LMS stops functioning properly — it no longer indexes log files and fails to display any logs in SmartConsole, including current ones;

  • As a result, viewing both historical and recent logs becomes completely impossible.

Is there an alternative method to re-index old audit logs without increasing the indexing retention period globally? Any suggestions or best practices for handling long-term audit log access under R81.20 would be appreciated.

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-06-25 10:55 AM
Jump to solution

SOLR version has been upgraded in R81 (and above) and logs do need re-indexing before you can view them.

You can view them by opening the log file manually:

5.PNG

 

You can also try to follow the following SK and change with extended log policy only the audit logs section:

https://support.checkpoint.com/results/sk/sk117317

 

Kind regards, Amir Senn

View solution in original post

(1)
5 Replies
PhoneBoy
Admin
Admin
‎2025-06-24 08:42 AM
Jump to solution

Not sure this is possible; I suggest working with your local Check Point office on a possible RFE.

In terms of out-of-the-box thinking, you might try copying just the audit logs to a new VM on a trial license and set the indexing for the required period: https://support.checkpoint.com/results/sk/sk107459 
Since no other logs will be indexed, perhaps solr will behave a bit better.

0 Kudos
(1)
the_rock
MVP Gold
MVP Gold
‎2025-06-24 09:32 AM
Jump to solution

I would open TAC case to see if they can help with this.

Andy

0 Kudos
garrod
Contributor
‎2025-06-24 11:26 PM
Jump to solution

Refer to this and run reindexing.

 

https://support.checkpoint.com/results/sk/sk164553

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-25 03:14 AM
In response to garrod
Jump to solution

Not sure that may work for audit logs, but worth a try.

0 Kudos
(1)
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-06-25 10:55 AM
Jump to solution

SOLR version has been upgraded in R81 (and above) and logs do need re-indexing before you can view them.

You can view them by opening the log file manually:

5.PNG

 

You can also try to follow the following SK and change with extended log policy only the audit logs section:

https://support.checkpoint.com/results/sk/sk117317

 

Kind regards, Amir Senn
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events