R80.x & above SmartLog/SmartEvent server doesn't index/show logs older than 1-14 days back

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk111766
Technical Level
Product	Logging & Status, SmartEvent / Eventia Analyzer
Version	R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Date Created	31-May-2016
Last Modified	29-Mar-2022

Symptoms

After the user upgrades/imports log files into R80.x/R81.x SmartLog/SmartEvent server, it shows logs only for the last 1-14 days (since the date of the upgrade/import).
The $RTDIR/log_indexes/ directory on R80.x/R81.x SmartLog/SmartEvent server contains directories that go back only for the last 1-14 days (since the date of the upgrade/import).
If an offline job is run, the events appear in the Events tab, but not in the tabs of specific blades.
If an offline job is run to send historical log files to R80 SmartEvent server, the "Files" read as "DDD MM DD HH:MM:SS 1969" (e.g., Wed Dec 31 18:00:00 1969) and show "0" for the number of logs.

Cause

By default, R80.x/R81.x SmartLog/SmartEvent server indexes and shows logs only up to 1-14 days back (counting back from the date of the upgrade/import).

Starting from R80.20, only 1 day back is indexed by default (fw.log & all log-files in the last 24 hours).
sk164553 - Steps from this SK may be required if the issue started after an upgrade. The solution below will not work properly if the files that need to be re-indexed are already listed as indexed as per the FetchedFiles.

Solution

Note: To view this solution you need to Sign In .