How do I see the state of the connection to the Checkpoint Log/Management Servers - like in previous version I always saw the last communication.
This is be really important- we just installed the new version, created new inputs (with old certificates) and no data is coming in.
Thank you
You can monitor from the heavy forwarder side, as well as from the management server. In my case, I have a heavy forwarder on Red Hat, and a secondary management server that I'm connecting to for log retrieval.
I open a screen session, and split the view into 2 panes.
On the HF:
watch -n 1 "ps aux | grep -i opsec"
On the management server:
watch -n 1 "ps aux | grep -i lea"
From there I can see the number of lea_loggrabber sessions running from the HF, and the number of lea_session instances on the Check Point box.
On a related note, I'm also having trouble retrieving data. It seems to circle around pulling SmartDefense data, or if I use the Non-Audit setting (which also includes SmartDefense).
I'm still testing, but have found that I need to disable all inputs on the HF, restart the splunk process and reboot the management server to get to a clean state to work from.
Hope that helps.