I have server with SFOS v19, I am confused about log viewer. I think that it always show only logs in 10 minutes window.
I tried to change time filter (all records ,last 4 hours, 60 minutes, etc.) but it doesn't work .
I can only view firewall logs for last 10 minutes, what If I want to view firewall module logs three days or month ago, is this possible ?
or I can view them from another place like reports tab.
can anyone explain the limits of log viewer.
thanks a lot
Firewall logs are generated for each packet that matched a firewall rule with logging enabled. So It's huge amount of logs and cannot be stored for a long period. To store these logs for an extended period…
So the current behavior of Logviewer shows you the recent Logs. You can scroll down and this will show you more until the logviewer will rotate.
There was a bug in the old EAP version, which broke this behavior. This means, there was only a specific time frame. But it should be fixed.
If you go to a rarely used module, are you sure about the data contained?
Scrolling is working, for example firewall logs I can scroll down [it disabled live show] and I can view many pages but within 10 minutes.
But admin or system events it always show last events within certain time.
for example: I accesses log viewer at 11:05, it show logs from 11:05 to 10:46 , all modules.
even I view (standard or details view) same logs are viewed.
As I guessed before server with V18 to v19 upgrade no problems, But New installation with (SW-19.0.0_GA-317.iso) have these problems.
Just to double check: If you generate a entry in IPS for example, does this entry disappear after this time window?
This would generally mean, you are affected by this issue. Can you create a Support Case?
Yes, I tested log viewer for all logs again so the last conclusion is : (all logs for all modules are within fixed window (20 minutes) for all kinds of logs, and any entry disappear after this window. and even if I change time filter nothing changes, still fixed 20 minutes window.)
I will wait for the next upgrade to fix the problem if there is no solution.
Fresh installation with SW-19.0.0_GA-317.iso
If you have a valid Support license, I would recommend you to open a case with support so the case can get to GES and DEV, for them to be able to acknowledge the issue and work on a fix for your device, I haven't seen this error reported, so chances are the next upgrade might not fix this.
You should share with support the output of
csc custom status
ls -lh /var/eventlogs
first, could I open a support ticket for trial license ?
As I said this is a testing server with trial license to evaluate v19 , But I reformatted the server with (SW-18.5.4_MR-4-418.iso) then I applied the upgrade (SW-19.0.0_GA.SFW-317.sig) and restore backup , and the log viewer works fine and show all logs as usual.
so my theory , there is problem in (SW-19.0.0_GA-317.iso).
A new old problem returned, when I formatted Server with SW-18.5.4_MR-4-418.iso (default configuration) and register it with trial license , and tried to upgrade to v19 using (SW-19.0.0_GA.SFW-317.sig) it shows message after upload file , on reboot (default configuration will be applied ?????) and on reboot same old issue appeared, failed to migrate configuration and default will be applied.
even report settings are default (Retain SSL/TLS inspection logs of the past is 1 month)
thanks a lot
V18.5 MR4 to V19.0 GA is not supported. You need to wait for V19.0 MR1.
I'm confused , is it safe to use v19 GA for production server ? , or I should use v18.5 MR4 and wait for v19 MR1.
my last Backup configuration was on v19, what should I do to restore it on v18.5, it will not be valid ??
or there is a way to do this.
You can use V19.0 GA. You cannot restore a V19.0 Backup on a V18.5 Release.