AnsweredAssumed Answered

Log Indexer crashing - SmartLog not working

Question asked by Kenneth Gregersen on Jan 3, 2019
Latest reply on Jan 11, 2019 by Kenneth Gregersen

Hi

 

We have been struggling, since before Christmas, with our R80.10 SmartCenter server (R80.10 - Build 439).

Every now and then (after a few hours and/or days) the SmartLog is not working. Meaning that it is not possible to view the log files in the SmartDashboard GUI client (SmartView).

 

We can see that the SmartCenter is receiving the logs, but the INDEXER service is crashing.

A workaround has been to do evstop.

Then look into $INDEXERDIR/log/log_indexer.elg and find the offending log file that the INDEXER process is not able to parse. Typically the file name it will show up right before an entry that reads:

 

log_indexer 30145 3804232592] Jan 16:05:41] Start reading 127.0.0.1:2019-01-02_151203_1.log [1546423998] at position 5738761

 

[2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id

[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUE

[2 Jan 16:05:41] CBinaryLogFile::ReplaceFileToTableMemStringID: error - can't get mem string id

[2 Jan 16:05:41] CBinaryLogFile::ReplaceTableStringId error: couldn't get file string_id, will set to default NULL VALUE

 

Then we edit the file $INDEXERDIR/data/FetchedFiles, mark the offending file as finished - and the INDEXER will move on to the next log file. This procedure is described in sk116117.

 

In some cases it does not indicate which files is problematic at all. What we do then is to evstop;evstart - and (usually) after some time it will show the offending log file.

 

We have tried to re-install SmartCenter, but the problem persists.

Both our vendor and CheckPoint is involved in the case, but so far they have not come up with a solution.

 

Any input is greatly appreciated.

 

/Kenneth

Outcomes