Anyone ever experience a situation where you can view the last 24 hours of logs in the GUI but once the audit.raw file gets rolled it can not be viewed on the firewall GUI or CLI. The audit.raw.date.date.gz files are there and I can export them onto another firewall to read them, so the files are not corrupt.
That is interesting. I dont know if I've seen that. What happens when you try to run "showaudit <filename>" on the original firewall (does it display)?
Is the type enforcement correct?
The showaudit displays the full audit correctly. The TE is also correct...see below.... The strange this is I can view the last 24 H just not older. I even forced a roll audit and was able to read that audit from the GUI as it was recent. If I filter for older the 24 hours it shows up blank. I even filtered it down to a 1 second in case it was the size that was causing the issue.
-rw-r--r-- 1 root wheel secureos/Audt:logs 10833219 Aug 12 02:00audit.raw.20 130811020001EDT.20130812020001EDT.gz
-rw-r--r-- 1 root wheel secureos/Audt:logs 22891048 Aug 13 01:30audit.raw.20 130812020001EDT.20130813013001EDT.gz
-rw-r--r-- 1 root wheel secureos/Audt:logs 248007 Aug 13 02:00audit.raw.20 130813013001EDT.20130813020001EDT.gz
-rw-r--r-- 1 root wheel secureos/Audt:logs 8079348 Aug 13 10:35audit.raw.20 130813020001EDT.20130813103506EDT.gz
I just had a thought. The GUI seems to look for files that start with audit, do you have any files in /var/log that start with audit and are not binary audit files? Perhaps an ascii audit file that you collected or something else?
does not look like it...
Hmm, looks good to me. Perhaps someone else on here has a thought.
Otherwise I think it would make sense to do a remote session with Support. I'm sure they can figure it out.
Ahh, ok, I just found out that this is a known issue (thought it sounded familiar).
There is an engineering patch available, which you can get by contacting support. The next patch (8.3.2) will contain the fix as well, but I dont have a date for it's release.
Hello, i have the same issue and i need to know which patch is needed to be installed Patch 8.3.1P01, Patch 8.3.1P02 or Patch 8.3.1P03 as version 8.3.2 is not yet released.
As Matt has mentioned the pre-8.3.2 fix is included in an engineering (E) patch not a normal (P) patch.
You will need to raise a service request with your problem and McAfee Support will issue the patch to you directly.