Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Troubleshooting

Related Topics

Common Scenarios

Common Scenarios

SmartReporter server is not running. Where can I get information to solve the problem?

To solve this problem perform one of the following:

  • Run the evstart -reporter command to restart the SmartReporter server.
  • Review the error information in the log file. The log file for the SmartReporter server can be found in $RTDIR/log/SVRServer.log. This file contains advanced log information about problems running the SmartReporter server.

Log Consolidator is not running. Where can I get information to solve the problem?

To solve this problem perform one of the following:

  • Ensure that the consolidation session is defined in the Management > Consolidation window.
  • If the session status indicates that logs are not being processed refer to the $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log and check for errors. If there are errors restarting the session may solve the problem.
  • If you defined logs outside the sequence, the consolidation process will stop when file processing is completed. In this case, you will receive the following message in the log file: "The engine has finished scanning the requested log files."
    The log file for the Log Consolidator can be found in $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log. This file contains advanced log information about problems running the Log Consolidator.

I performed an upgrade from a previous version of SmartReporter. The Consolidation session status in the SmartReporter client is "Aborted" and the following error appears in lc_rt.log:
Error:failed to fetch <TableName>_ID inter_code table data
Table 'rt_database.<TableName>' doesn't exist

-Or-

Report generation failed and the following error appeared:
Failed to execute SQL query. Error: Table 'rt_database.<TableName>' doesn't exist. SQL: SELECT <TableName>_CODE, <TableName>_NAME FROM <TableName>.

What should I do?

To solve this problem perform the following:

  • Check the SmartViewReporterInstallation.log file located in c:\Program Files\CheckPoint\CPInstLog\ on Windows or in /opt/CPInstLog/ on any other platform. If the SmartViewReporterInstallation.log file includes the following error(s) perform the following 4 steps:

    Error: Error in process '/opt/CPrt-FLO/svr/bin/evr_upgrade_db /opt/CPrt-FLO/svr'. Error code is 2

    Info: Error in database upgrade. For Database upgrade run /opt/CPrt-FLO/svr/bin/evr_upgrade_db after evstop -reporter.

  1. Run the evstop -reporter command.
  2. Ensure that the database process is not running. The database process name is mysqld-nt.exe for Windows or mysqld for all other platforms.
  3. On a Windows platform run %RTDIR%\bin\evr_upgrade_db.bat. On any other platform run $RTDIR/bin/evr_upgrade_db.
  4. Start SmartReporter by running the evstart -reporter command.

SmartReporter has been installed and the Standard Reports are empty. What should I do?

To solve this problem perform one of the following:

  • Make sure that the database contains data for the dates for which you would like to generate the report. To do this select Management > Database Maintenance.

    Each row in the Database table shows the number of rows in the table, as well as the date range of all the table's entries.

  • Verify that the specific report is generated from the same table that was filled by the consolidation session.
    1. Select Management > Consolidation > Sessions and note the database table from which the information is collected.
    2. Select the report definition's Input tab and verify that the same database table is selected in the Other Database Tables drop-down list.

    Make sure that the date range for the report is defined correctly. This can be verified by selecting the report definition's Period tab and confirming the From and To values.

  • The data may have been eliminated by report filters. Verify that unnecessary filters (for example, a filter that eliminates information on all relevant IP addresses) have not been set. Open the Filter tab associated with the specific report to verify the filters being used.
  • Open the Input tab associated with the specific report and verify that the correct gateways have been selected.
  • Verify that the consolidation engine policy is defined to store the relevant records. See Report Generation Phase Considerations for additional information.
  • The Standard Reports maybe empty due to a consolidation delay. The firewall may have sent the logs before consolidation was complete. This usually occurs in daily reports.

When configuring an Express Report I do not see a particular gateway in the Input tab.

A gateway in the Express Report Input tab will not appear if SmartView Monitor is not enabled on the gateway. In order to see the gateway in the Input tab, enable the gateway object in SmartDashboard and install the policy on the gateway. Similarly, VPN needs to be selected for VPN reports.

After performing a Distributed installation the SmartReporter server is not communicating with the management and I cannot login to SmartReporter. What should I do?

To solve this problem perform one of the following:

  • The Reporter object is not completely defined in the Security Management server. In SmartDashboard, establish SIC with SmartReporter, select the SmartReporter checkbox for the host object representing the SmartReporter server and peIPSrform Install Database on all relevant log servers.
  • Check the connectivity between the Security Management server and the SmartEvent Server. Once this is verified, check that the SmartReporter object in SmartDashboard is configured with the correct IP in the General Properties > IP address field. In addition, verify that there is connectivity between the client and the server on the CP_reporting service (port 18205).

When one of the following reports is run no data is received. What should I do?

FTP Activity, SMTP Activity, Web Activity and User Activity

For each FTP Activity, SMTP Activity and Web Activity report, create the associated resource and add a rule in the Security Policy whose service column uses this resource. FTP Activity uses an FTP resource, SMTP Activity uses an SMTP resource and Web Activity uses a URI resource.

User Activity

You may not receive data for a User Activity report because your logs do not contain User information. Open one of the relevant logs in SmartView Tracker and the make sure that the User field is empty for a relevant log entry.

In my rule base reports I see an asterisk after the rule number. What does this mean?

Security Gateways add the rule's unique ID to each log to track the rule even though it may have changed its location in the policy and has a different index.

When the rule's ID is defined, the report displays the index to the rule at the time of report generation. However, when the rule's unique ID is not available in a log, the Reporter uses the rule's index. Since the rule index can change, the index may not accurately reflect the rule. The asterisk warns the user that the rule number may not be exact.

Standard report generation failed with the following error:
"Failed to write to result file, please check that there is enough disk space in the result directory for this report".

To solve this problem perform one of the following:

  • This error occurs when SmartReporter cannot write report files. In this case, verify that there is a Write Permission in the results directory. The Results Directory can be found in Tools > Options > Generation > Results Location.
  • Verify that there is enough disk space for the generated reports. If there is not enough disk space, then free space for the results or change the reports output directory to a new location (that is, on another disk).

Standard report generation failed with the following error:
"Report generation optimization caused a failure of the report generation, could not populate temporary table. Error: Got error 28 from table handler'.

In this situation, there is not enough disk space in the temporary database directory. To solve this problem, change the location of the temporary database directory. Refer to Modifying SmartReporter Database Configuration for additional information.

When trying to define a new consolidation session the following error appears: "Failed to get the log files list from server/database".
- OR -
After successfully defining a consolidation session the log file in the log consolidator contains the following error "The Engine cannot read the log file from the Log Server, and will automatically try to reconnect every several minutes".
- OR -
The session status in the SmartReporter Consolidation window is "Trying to reconnect".

To solve this problem perform one of the following:

  • Verify that there is connectivity between the SmartReporter machine and the log server. Communication between the two occurs on FW1_lea service (port 18184).
  • If you are working with an external log server that is not installed on the Security Management server, perform SmartDashboard > Policy > Install Database... and select the appropriate object from the list provided.
  • If you are working with Multi-Domain Security Management verify that the Domain Management Server is assigned a global policy and that its database was installed.

The Logs read per second value in the More Info page is too low.

This value indicates the average log processing speed since the session began. However, this number is not accurate at the time the consolidation session starts processing logs. Wait at least 15 minutes and if this value does not rise try to disable the DNS and run the consolidation session again. If disabling the DNS improves performance, you can enable only internal address resolution, based on the gateway topology. In order to do this, access SmartReporter and enable DNS resolution in Consolidation > Settings. Run the following command in order to only enable internal address resolution:
cpprod_util CPPROD_SetValue "Reporting Module" "dns_internal_only" 1 true 1

If you want to enable the resolution of all addresses run the same command with a false flag:

cpprod_util CPPROD_SetValue "Reporting Module" "dns_internal_only" 1 false 1

Maintenance was completed with the following warning: "Automatic maintenance cannot remove enough records to reach the low-end threshold since participating tables do not have enough old records to remove".

  • Ensure that all the relevant tables an Auto. Maintenance flag On (in Database Maintenance > Tables > Database Tables list). For example, if a table was imported from a file, it will not participate in maintenance.
  • Verify whether you need to enlarge the database capacity.

Maintenance failed with a Table CONXX_<Table-Name> is full error. For example, "Table 'CON02_CONNECTIONS' is full".

Note - In order to avoid this error in the future, it is recommended that you change the database capacity High End to not more than 75%.
  • Maybe the database cannot reach its maximum capacity because there is not enough free disk space. In this case, free disk space.

A scheduled report does not appear in SmartReporter until the report is saved.

After defining a schedule for the specific report, save the report. A report will appear only after it is saved.

The status of a consolidation session is "Trying to reconnect". In addition, in the lc_rt.log file the following error appears: "Database space check failed. There may not be enough disk space or it may have failed to obtain database capacity information".

To solve this perform the following:

  1. Check your free disk space. Not enough free disk space can cause this error.
  2. Run Management > Database Maintenance > Maintenance > Activate now in order to free database space.
  
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print