Missing LogFiles from --showlogs

[BigPeteL]

Hello,

If we run --showlogs we only see a small subset of log files from years ago, however if I browse the /var/log/opt/CPsuite-R/fw1/log on the management appliance and pick a log file eg "2016-02-16-235900.log" and manually specify the file eg -f 2016-02-16-235900.log the contents are all displayed correctly.

Also running "-f ALL" or "--logfile ALL" doesn't return any files. We've multiple versions of CPsuite-R due to previous upgrades, could this be throwing it off?

Thanks,
Peter

[BigPeteL]

Here is the output from a --showfiles --debug-level 3

- 2012-05-30_235900.log
DEBUG: function stringlist_append
DEBUG: function string_duplicate
DEBUG: - 2012-05-31_235900.log
- 2012-05-31_235900.log
DEBUG: function stringlist_append
DEBUG: function string_duplicate
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] opsec_end_session_e: scheduling the end of session 3
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_read: read 12 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] fwasync_connbuf_realloc: reallocating 8539dd8 from 4111 to 25780
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] Destroying session (851d390) id 3 (ent=850f5e8) reason=END_BY_APPLICATION
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] SESSION ID:3 is sending DG_TYPE=3

[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
DEBUG: function get_fw1_logfiles_end
DEBUG: OPSEC_SESSION_END_HANDLER called
DEBUG: The session has been ended.
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] opsec_del_event : event ctx is not activated 

[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] opsec_del_event : event ctx is not activated 

[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] opsec_del_event : event ctx is not activated 

[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] SESSION ID:3 already resumed read
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] opsec_comm_is_needed:comm 0x85052c0 0/0 sessions need the comm.
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_read: read 2987 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_write: write 12 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] COM 0x85052c0 got signal 131074
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_read: read 16384 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_read: read 4096 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_InputPending 1 pending bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] ckpSSL_do_read: read 1289 bytes
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] demultiplex type=504 session-id=3
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11] Could not find session. Send reset
[ 5104 4148496128]@DEBIAN[17 Feb 15:39:11]  is sending DG_TYPE=4

[adepasquale]

@BigPeteL not sure I can solve this issue, but I can try helping you troubleshoot. Can you move away old files in /var/log/opt/CPsuite-R*/fw1/log/* and try again?

[selfuryon]

Maybe It's the problem of Check Point. It 'see' only files in fw.logtrack by OPSEC LEA. This file is located in $FWDIR/log folder and it have structure like this:

[Expert@t-osic-cplogs:0]# cat fw.logtrack
AccountFileId  NormalFileId  LogFileName
--------------------------------------------------------
1477162740    1477162740    2016-10-23_235900.log
1477249140    1477249140    2016-10-24_235900.log
1477335540    1477335540    2016-10-25_235900.log
1477421940    1477421940    
[Expert@t-osic-cplogs:0]# 

The first two fields are unix timestamps. The last row is reference to fw.log. So you can add manually rows that you need. As Example, I have two files: 2016-09-01_235900.log and example.log, - and I want to get them by OPSEC LEA. So I add it to fw.logtrack like this:

AccountFileId  NormalFileId  LogFileName
--------------------------------------------------------
1477162000    1477162001    2016-09-01_235900.log
1477162002    1477162003    example.log
1477162740    1477162740    2016-10-23_235900.log
1477249140    1477249140    2016-10-24_235900.log
1477335540    1477335540    2016-10-25_235900.log
1477421940    1477421940    

So the first two fields I fill random unix timestamps by in ascending order. After that fw1-loggrabber will show you these files in --showfiles and I can get it.