I guess creating a dummy logserver object and asking the fw to log to it would have only complicated the issue. Here are some suggestions: 1. If dummy object still exists, delete your dummy logserver object in the GUI and make sure firewalls in the 'log server' tab, are pointing to log to their respective CMA and push policy afresh to ensure this configuration you had before the dummy logserver is pushed to the gateways 2. Log into one of the firewalls or all of them one by one to which you pushed policy above and check $FWDIR/conf/masters file -so it shows Logserver as pointing to the CMA 3. netstat -an | grep 257 and see where the log connection from the firewall is being attempted to and to which is it established - ( this would give you the clue to troubleshoot further). Most likely, when your CMA on P-1 was not available to send logs to, the gateways would have been logging to themselves. Normally, they should resort to log back to logserver once it is available but it may help in situations as yours to kill fwd (ensure you choose the 'best practice' to kill 'fwd' - killing 'fwd' does not impact any traffic on the firewall) and start it back (but be prepared to 'cpstop/cpstart' the firewall in case 'fwd' does not come up gracefully. 4. Before killing 'fwd' step, you can do two more things - check your var/log/messages - to see if you have 'log buffer is full' kinda messages and second you can debug fwd process simultaneously on the CMA (in CMA env) and on the fw with 'fw debug fwd on/off' command - which would show you very clear messages of why and where 5. There is a possiblity w/ disk full, there is some file corruption w/ $FWDIR/log directory on the CMA. You can stop the CMA, move everything from within /log directory out (do not move /log itself - only its contents), start the CMA - you may choose to take this as a first step or after debugging to see if logs start to work ...
hth, Rajeev On Fri, Feb 20, 2009 at 7:38 PM, Torkel Mathisen <[email protected]>wrote: > Hi, > > I got a problem today when our Provider-1 ran out of disk space in /var and > all logging stopped. > > I cleared up some old logfiles, but I can't seem to get logging working > again. > > I've also tried logswitch and log purge, but I get "Failed to connect". > This happens in both GUI and on CLI. > > I've also tried mdsrestart_customer, mdsstop/mdsstart, rebooted the server > and emptied the log directory. I also tried creating a dummy logserver > object and install the rulebase with that and then repush the rulebase with > the original logserver. Nothing worked. > > Anyone had that problem and know how to fix it? > > > Regards, > Torkel > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
