Logs don't seem to work after upgrading unless reports are on

[crazylegs]

I'm not sure why this would be, but with reports off, no new firewall events show up in the logs. As soon as I switch reports back on, new events show up. This seems new to me. Is it? If not, any idea what I'm doing wrong? I just upgraded... I could swear it wasn't like that before the upgrade.

[dmorris]

Yes, event logs require reports now.

[crazylegs]

Well, that's great info. Thank you!

I'm going to have to get a policy change now. We've always left reports off since our default stance is to let our staff be adults and usually the 40 pages of reports is enough to troubleshoot something.

Any chance this could become optional?

Also - I'm on 9.1.1~svn20111222r30591release9.1-1lenny - did I miss this change in the changelog?

Finally (sorry, I'm full of questions here): can I leave reports off except when I want to view the logs, then switch reports to "on" and go the report, hit refresh, and see what's going on?

I just really enjoyed the "auto-refresh" viewing of traffic. I really found it useful.

[dmorris]

Sure, you can do that if you like.
Going forward though events will not be logged at all if reports is not on.

It sure would seem simpler to me to just leave reports on and let it maintain the database and just set it to generate reports when you want reports, instead of switching the service on and off all the time.

[sky-knight]

Given this change, shouldn't the reports module be required now?

The modules either need to be independent, or not. If there are arbitrary requirements such as this, the reports module should be auto-installed with any module that has the ability to view logs.

Otherwise we're simply asking for confusion.

[crazylegs]

Thank you again.

I hear what you're saying, but we have preferred to not keep longer-term records of our network traffic in UT. In order for the firewall logs to be useful, we'll basically be forced to do just that, which, as I said earlier, will force us to make a policy change. Of course, our policy change may be to find another product which is unfortunate for a few reasons the first of which is that I really like UT.

I agree with you, Sky-knight. This way is confusing. I can see the utility in providing options to the UT admin person, but why not let us keep the reports off (to avoid long-term storage of traffic details) while allowing us to view the most recent traffic?

And I'm still wondering if I missed the notification that this was changing. Did I? I need to provide an honest answer to my boss.

[dmorris]

http://wiki.untangle.com/index.php/9.1_Changelog

In 9.0 and 9.1 long term records are recorded in the database regardless of whether or not reports is on. Interesting policy, but thats not how Untangle works in 9.0 or 9.1.

Luckily for you, you can accomplish this in 9.2 by turning reports off.

Or you can just set your data retention time to the appropriate value that you want and be done with it.

Or if you just explain what you thought you were accomplishing by turning off reports in 9.0, I can tell you how to accomplish that.

[crazylegs]

Could you clarify what you mean about what I need being possible in 9.2?

I can set the report retention time to a day or two and leave it running, I suppose, right now, right? That's what you're saying? If that's as close as I can get, so be it.

As for the 9.1 change log at the link you provided: I'm not sure I missed anything there... unless I was supposed to derive "you have to have the reports on if you want to see anything in the firewall logs" from the event logs section? I'm having a hard time finding much there other than "As with all things there are trade-offs: This means that the fact-table compilation must happen before you can view the fact tables."

Or is there something more obvious that I'm not seeing?

[dmorris]

Not logging events to the database is possible in 9.2
It is not possible in any earlier version regardless of whether reports is on/off/installed/not installed.

Yes, you can set data retention time. Or you can set your report generation schedule. There are many things you can do, but its hard for me to advise you unless you tell me what you're trying to accomplish.

There is a whole section at the bottom that explains event log changes.

[crazylegs]

Thank you, dmorris.

What I'm trying to do is avoid easy-to access longer-term records/logs of my network traffic while keeping access to short-term logs so that I can troubleshoot issues.

The whole section at the bottom of the changelog at the link you provided is what I was referring to - what part of that section says that the reports module must be turned on or we don't get logs? I don't see it. I read it before I upgraded, and nothing jumped out at me because (and I'm still saying this) it doesn't seem to be there. There's some talk about the event log module (not the report module) de-normalizing the fact tables. Is that what you're saying I should have interpreted as "you have to have the reports on if you want to see anything in the firewall logs"?

http://wiki.untangle.com/index.php/9...log#Event_Logs

If it's there in anything close to plain English, could you please point it out to me? If it's there in language an Untangle administrator should understand, could you point it out to me? My point is that I have been caught off guard here and I'm trying to determine if I missed something obvious that's going to require my management to make some hard decisions, or if it wasn't clear, in which case I'll feel better about my reading skills and make sure I ask questions in this forum about anything in the changelog I don't understand for future upgrades.

I'd really appreciate it!