9 Replies Latest reply: Sep 10, 2013 8:31 AM by PhilM RSS

    Rolled Audit logs not available in GUI or CLI

    kdesnayer

      Anyone ever experience a situation where you can view the last 24 hours of logs in the GUI but once the audit.raw file gets rolled it can not be viewed on the firewall GUI or CLI.   The audit.raw.date.date.gz files are there and I can export them onto another firewall to read them, so the files are not corrupt.

        • 1. Re: Rolled Audit logs not available in GUI or CLI
          mtuma

          That is interesting. I dont know if I've seen that. What happens when you try to run "showaudit <filename>" on the original firewall (does it display)?

           

          Is the type enforcement correct?

           

          ll audit.raw*

           

          -Matt

          • 2. Re: Rolled Audit logs not available in GUI or CLI
            kdesnayer

            The showaudit displays the full audit correctly.   The TE is also correct...see below.... The strange this is I can view the last 24 H just not older.   I even forced a roll audit and was able to read that audit from the GUI as it was recent.   If I filter for older the 24 hours it shows up blank.   I even filtered it down to a 1 second in case it was the size that was causing the issue.

             

            -rw-r--r--  1 root wheel  secureos/Audt:logs 10833219 Aug 12 02:00audit.raw.20                                                                                                                              130811020001EDT.20130812020001EDT.gz

            -rw-r--r--  1 root wheel  secureos/Audt:logs 22891048 Aug 13 01:30audit.raw.20                                                                                                                              130812020001EDT.20130813013001EDT.gz

            -rw-r--r--  1 root wheel  secureos/Audt:logs   248007 Aug 13 02:00audit.raw.20                                                                                                                              130813013001EDT.20130813020001EDT.gz

            -rw-r--r--  1 root wheel  secureos/Audt:logs  8079348 Aug 13 10:35audit.raw.20                                                                                                                              130813020001EDT.20130813103506EDT.gz

            • 3. Re: Rolled Audit logs not available in GUI or CLI
              mtuma

              I just had a thought. The GUI seems to look for files that start with audit, do you have any files in /var/log that start with audit and are not binary audit files? Perhaps an ascii audit file that you collected or something else?

               

              -Matt

              • 4. Re: Rolled Audit logs not available in GUI or CLI
                kdesnayer

                does not look like it...

                .                                                      cron

                ..                                                     cron.0.gz

                .snap                                                  cron.1.gz

                SF.log                                                 cron.2.gz

                SF.log.0.gz                                            daemon.log

                SF.log.1.gz                                            daemon.log.0.gz

                SF.log.2.gz                                            daemon.log.1.gz

                SF.log.3.gz                                            daemon.log.2.gz

                SF.log.4.gz                                            daemon.log.3.gz

                SF.log.5.gz                                            daemon.log.4.gz

                SF.log.6.gz                                            daemond.log

                audit.raw                                              debug.log

                audit.raw.20130718020001EDT.20130719020001EDT.gz       export_data

                audit.raw.20130719020001EDT.20130720020000EDT.gz       lastlog

                audit.raw.20130720020000EDT.20130721020001EDT.gz       maillog

                audit.raw.20130721020001EDT.20130722020000EDT.gz       maillog.0.gz

                audit.raw.20130722020000EDT.20130723020001EDT.gz       maillog.1.gz

                audit.raw.20130723020001EDT.20130724020001EDT.gz       maillog.2.gz

                audit.raw.20130724020001EDT.20130725020001EDT.gz       maillog.3.gz

                audit.raw.20130725020001EDT.20130726020001EDT.gz       maillog.4.gz

                audit.raw.20130726020001EDT.20130727020001EDT.gz       maillog.5.gz

                audit.raw.20130727020001EDT.20130728020001EDT.gz       maillog.6.gz

                audit.raw.20130728020001EDT.20130729020001EDT.gz       messages

                audit.raw.20130729020001EDT.20130730020001EDT.gz       messages.0.gz

                audit.raw.20130730020001EDT.20130731020001EDT.gz       messages.1.gz

                audit.raw.20130731020001EDT.20130801020001EDT.gz       messages.2.gz

                audit.raw.20130801020001EDT.20130802020001EDT.gz       messages.3.gz

                audit.raw.20130802020001EDT.20130803020000EDT.gz       messages.4.gz

                audit.raw.20130803020000EDT.20130804020000EDT.gz       mysql

                audit.raw.20130804020000EDT.20130805020000EDT.gz       ntp

                audit.raw.20130805020000EDT.20130806020001EDT.gz       packages.log

                audit.raw.20130806020001EDT.20130807020001EDT.gz       ppp.log

                audit.raw.20130807020001EDT.20130808003001EDT.gz       qsw_out

                audit.raw.20130808003001EDT.20130808020001EDT.gz       qsw_state

                audit.raw.20130808020001EDT.20130809003001EDT.gz       security

                audit.raw.20130809003001EDT.20130809020001EDT.gz       sendmail.st.mta1

                audit.raw.20130809020001EDT.20130810020001EDT.gz       sendmail.st.mta2

                audit.raw.20130810020001EDT.20130811020001EDT.gz       sendmail.st.mtac

                audit.raw.20130811020001EDT.20130812020001EDT.gz       snmpd.log

                audit.raw.20130812020001EDT.20130813013001EDT.gz       snmptrap.log.unbound

                audit.raw.20130813013001EDT.20130813020001EDT.gz       usage

                audit.raw.20130813020001EDT.20130813103506EDT.gz       vmware-tools-guestd

                auth.log                                               wtmp

                crash                                                  xferlog

                • 5. Re: Rolled Audit logs not available in GUI or CLI
                  mtuma

                  Hmm, looks good to me. Perhaps someone else on here has a thought.

                   

                  Otherwise I think it would make sense to do a remote session with Support. I'm sure they can figure it out.

                   

                   

                  -Matt

                  • 6. Re: Rolled Audit logs not available in GUI or CLI
                    mtuma

                    Ahh, ok, I just found out that this is a known issue (thought it sounded familiar).

                     

                    There is an engineering patch available, which you can get by contacting support. The next patch (8.3.2) will contain the fix as well, but I dont have a date for it's release.

                     

                    -Matt

                    • 7. Re: Rolled Audit logs not available in GUI or CLI
                      kdesnayer

                      thanks man!!

                      • 8. Re: Rolled Audit logs not available in GUI or CLI
                        oserag

                        Hello, i have the same issue and i need to know which patch is needed to be installed Patch 8.3.1P01, Patch 8.3.1P02 or Patch 8.3.1P03 as version 8.3.2 is not yet released.

                        • 9. Re: Rolled Audit logs not available in GUI or CLI
                          PhilM

                          As Matt has mentioned the pre-8.3.2 fix is included in an engineering (E) patch not a normal (P) patch.

                           

                          You will need to raise a service request with your problem and McAfee Support will issue the patch to you directly.

                           

                          -Phil.