cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

This might be already answered somewhere but I didn't seem to find it.

Back in the day when we "migrate" upgraded (having two servers - old and new) our MDS from R77.30 to R80, I was able to copy audit logs manually from old R77.30 VM to R80 appropriate directories and they got indexed and displayed in SmartLog without any issues

I'm talking about *.adtlog* logs, more explicitly

/var/log/mds_logs/*/log/*adtlog*

Last weekend we upgraded from R80.10 to R80.20 using migration option (basically to whole new VM) and I did the ususal - copied audit logs over manually but they don't seem to get indexed and showed in SmartLog.

Has anyone else come across this or have a good suggestion?

We did upgrade export without logs as they are way too big.

 

3 Replies
Highlighted
Admin
Admin

Re: Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

I'm guessing they, like the other logs, are indexed.
Did you import your other logs and do the usual steps to reindex?
Highlighted
Platinum

Re: Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

It is possible to have ONLY audit logs exported?
Are audit logs included in the exported package if -l parameter was used ?

Maybe to add a new parameter for migrate export tool, like -al parameter which will export only audit logs, without traffic logs.

Kind regards,
Jozko Mrkvicka
Highlighted

Re: Importing audit logs in MDS after upgrade with migration (R80.10 to R80.20)

As I suspected indexing import has changed as of R80.20:

Starting from R80.20, only 1 day is indexed by default (fw.log only)

If you need older logs follow SK below, worked like a charm for us

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

And yes, you can copy *adtlog* only if you wanted to 🙂