Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Have had several firewalls have this issue. The ones that it was fixed on one of the Customers was a full rebuild but I don't want to do that on the another Customer as the rebuild for that one was necessary for other issues.

According to Support, there are 3 Jiras tracking the logs/reports, I only have the numbers and not the names yet.

There does not seem to be a surefire fix right now but is definitely a v17.5.5 issue that is intermittent and agnostic between software/hardware installations.

I updated my XG as per suggestions and the reporting  is now stuck which would indicate garner has failed again MR-6.

I will check again in the morning to see if any magic happened overnight.

Ian

Yeah, this Customer firewall is on v17.5.6 implemented on Friday last week.

What is interesting in the logs is that the issue happens when it does a table move indicating this could be a corruption/process > database connection issue:

red_gr_input(1179 == 1179):Red devices: Connected: 0 Disconnected 0 Enabled: 0 Disabled: 0
Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: moving table 'available_webusgdatav9_1561188900' FD: 27
Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: table 'available_webusgdatav9_1561188900' is moved to 'tbl_used_webusgdatav9' queue
Jun 24 17:00:01: OPPOSTGRES: FORCED CONNECTION RESET for TABLE: 'webusgdatav9' FD: 27
Jun 24 17:00:01: OPPOSTGRES: release_postgres_client: Database disconnected FD: 27
Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: moving table 'available_mail_datav6_1561023498' FD: 52
MESSAGE Jun 24 22:14:23 [4146846016]: Starting garner-0.0.0.17 with glibc: 2.21
printing udp input list
'232' '1414' '1415' '1416' '1417' '2929'
MESSAGE Jun 24 22:14:23 [4146846016]: garner is running as root. This can be dangerous.Please provide valid 'User' and 'Group' in config file

There does not seem to be any useful information before though. It does seem it dies sufficiently enough to kill the logdb output as well which explains the loss of the log viewer:

52048 -rwx------ 1 root 0 53239808 Jun 24 23:20 139.db
53212 -rwx------ 1 root 0 54431744 Jun 24 22:47 138.db
53120 -rwx------ 1 root 0 54337536 Jun 24 16:58 137.db
52544 -rwx------ 1 root 0 53747712 Jun 24 16:39 136.db

Emile

1 of 2 firewalls was fixed with Firmware 17.5 MR6.

To automate the restart of the gartner process, I use a script and put a cron job on linux.

Here is the script in case someone is useful to you.

#!/usr/bin/expect -f
spawn ssh XG_IP -l admin
expect "password:"
send "PasswordHere\r"
expect "Main Menu"
send "5\r"
expect "*"
send "3\r"
expect "*"
send "service garner:restart -ds nosync\r"
expect "200 OK"
send "exit\r"
expect "*"
send "0\r"
expect "*"
send "0\r"
exit

Now I only have to cross my fingers so that the other one doesn't stop working.

Just to confirm my Garner Service died again on MR-6 also

Had to restart it today :-(

Just to confirm my Garner Service died again on MR-6 also

Had to restart it today :-(

Magic happened overnight, the data missing during the day, yesterday appeared in the daily reports (well most of it). SMTPS reporting is not happening, was when MR-6 was first released, but is not now..

More testing today.

Ian

Update:- further testing of SMTPS does now appear in the XG GUI. Still missing the SMTPS entries for yesterday, lots of other stuff appeared.

Something still broken I think :-(

I will fire up my XG230 in the next few days on a new connection and see if it does it as well.

New Internet Service Provider you mean ?  Is there a logical reasoning behind this or it's despair ?

Paul Jr