- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Check which gateways are logging
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check which gateways are logging
Hi,
I have noticed some of my gateways don't appear to be logging traffic, This am am certain was working for all gateways previously. We have 45 gateway son the management server so I would ideally like a command I can run on the log sever to see which are established so I can work through backwards.
we have 24 cloudguard gateways in hypervisor mode and it seems to be some of them that aren't working, So I cannot easily tell which ones aren't not logging, but I just know when I should be seeing traffic and I am not. The log server has plenty of disk space.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
netstat -an should show active TCP connections with gateways that are logging.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did some further testing and found a specific gateway that is not logging, I have an snmp alarm on that device: A "chkpntTrapOverallLSConnState" event has occurred, from CheckpointFirewall device, Security Gateway is unable to report logs to any log server fwLocalLoggingDesc = Writing logs locally due to connectivity problems fwLocalLoggingStat = 2
I can ping the log server from this gateway, and the fw.log file is not increasing either, just did an install database on the all the management servers, and a cpstart on the gateway really weird. Ive run through sk40090 without any luck either. Looks like I have 3 gateways that all stopped logging at the exact same time. netstat -an doesn't show a connection to log server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don’t know that you need to delete logtrack but restarting fwd can’t hurt.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I think you are right, does restarting FWD have any service impact?
I saw this in the logs which looks very similar to sk118936
-[17 Dec 15:55:49] connect_to_local_server: connected to local server successfuly
-[17 Dec 15:55:49] ....<-- connect_to_local_server
-[17 Dec 15:55:49] ...<-- connect_to_server
-[17 Dec 15:55:49] create_default_log: connected to default log server
-[17 Dec 15:55:49] ...--> disconnect_from_server
-[17 Dec 15:55:49] disconnect_from_server: default still backups other servers, don't disconnect
-[17 Dec 15:55:49] ...<-- disconnect_from_server
-[17 Dec 15:55:49] create_default_log: disconnected from default log server
-[17 Dec 15:55:49] ..<-- create_default_log
-[17 Dec 15:55:49] .<-- logbuf_write
-[17 Dec 15:55:49] .--> log_has_connected_server
-[17 Dec 15:55:49] .<-- log_has_connected_server
-[17 Dec 15:55:49] log_add_e__logclient: writes logs to local disk because overflow
-[17 Dec 15:55:49] log_add_e__logclient: 192.168.10.10 - no log is sent now
-[17 Dec 15:55:49] log_add_e__logclient: waiting for connecting callback (log_connected) to be read
-[17 Dec 15:55:49] log_add_e__logclient: Write locally ! log record number = 5342
-[17 Dec 15:55:49] .--> log_local_write
-[17 Dec 15:55:49] .<-- log_local_write
-[17 Dec 15:55:49] <-- log_add_e__logclient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don’t believe so but the sk suggests doing during a maintenance window.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
found another solution, removing the log server from the gateway, push policy and add it back has got he log connection back up and working now.
