Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 95 replies
  • Subscribers 47 subscribers
  • Views 69188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Deepak Verma

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    I had this issue, made a case with Sophos, was told to disable notifications and run service garner:restart -ds nosync 

     

    If I just ran service garner:restart -ds nosync and did not disable notifications then the logs would work a while then quit, would run service garner:restart -ds nosync and same thing.  Basically rinse and repeat until I disable notifications.  

  • 0 in reply to Badrobot

    Hi,

    I have applied that approach, but it should not be necessary if the software that they broke was fixed. Also the notifications do not work for all events eg failed logins. Used to work before they broke garner.

    Ian

  • 0

    Have had several firewalls have this issue. The ones that it was fixed on one of the Customers was a full rebuild but I don't want to do that on the another Customer as the rebuild for that one was necessary for other issues.

    According to Support, there are 3 Jiras tracking the logs/reports, I only have the numbers and not the names yet.

    There does not seem to be a surefire fix right now but is definitely a v17.5.5 issue that is intermittent and agnostic between software/hardware installations.

  • 0 in reply to Emile Belcourt

    I updated my XG as per suggestions and the reporting  is now stuck which would indicate garner has failed again MR-6.

    I will check again in the morning to see if any magic happened overnight.

    Ian

  • 0 in reply to rfcat_vk

    Yeah, this Customer firewall is on v17.5.6 implemented on Friday last week.

    What is interesting in the logs is that the issue happens when it does a table move indicating this could be a corruption/process > database connection issue:

    red_gr_input(1179 == 1179):Red devices: Connected: 0 Disconnected 0 Enabled: 0 Disabled: 0
    Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: moving table 'available_webusgdatav9_1561188900' FD: 27
    Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: table 'available_webusgdatav9_1561188900' is moved to 'tbl_used_webusgdatav9' queue
    Jun 24 17:00:01: OPPOSTGRES: FORCED CONNECTION RESET for TABLE: 'webusgdatav9' FD: 27
    Jun 24 17:00:01: OPPOSTGRES: release_postgres_client: Database disconnected FD: 27
    Jun 24 17:00:01: OPPOSTGRES: move_table_to_usedqueue: moving table 'available_mail_datav6_1561023498' FD: 52
    MESSAGE Jun 24 22:14:23 [4146846016]: Starting garner-0.0.0.17 with glibc: 2.21
    printing udp input list
    '232' '1414' '1415' '1416' '1417' '2929'
    MESSAGE Jun 24 22:14:23 [4146846016]: garner is running as root. This can be dangerous.Please provide valid 'User' and 'Group' in config file

     

    There does not seem to be any useful information before though. It does seem it dies sufficiently enough to kill the logdb output as well which explains the loss of the log viewer:

    52048 -rwx------ 1 root 0 53239808 Jun 24 23:20 139.db
    53212 -rwx------ 1 root 0 54431744 Jun 24 22:47 138.db
    53120 -rwx------ 1 root 0 54337536 Jun 24 16:58 137.db
    52544 -rwx------ 1 root 0 53747712 Jun 24 16:39 136.db

    Emile

  • 0 in reply to Emile Belcourt

    1 of 2 firewalls was fixed with Firmware 17.5 MR6.

    To automate the restart of the gartner process, I use a script and put a cron job on linux.

    Here is the script in case someone is useful to you.


    #!/usr/bin/expect -f
    spawn ssh XG_IP -l admin
    expect "password:"
    send "PasswordHere\r"
    expect "Main Menu"
    send "5\r"
    expect "*"
    send "3\r"
    expect "*"
    send "service garner:restart -ds nosync\r"
    expect "200 OK"
    send "exit\r"
    expect "*"
    send "0\r"
    expect "*"
    send "0\r"
    exit

    Now I only have to cross my fingers so that the other one doesn't stop working.

  • 0 in reply to rfcat_vk

    Just to confirm my Garner Service died again on MR-6 also

    Had to restart it today :-(

  • 0 in reply to M8ey

    Magic happened overnight, the data missing during the day, yesterday appeared in the daily reports (well most of it). SMTPS reporting is not happening, was when MR-6 was first released, but is not now..

    More testing today.

    Ian

     

    Update:- further testing of SMTPS does now appear in the XG GUI. Still missing the SMTPS entries for yesterday, lots of other stuff appeared.

  • 0 in reply to rfcat_vk

    Something still broken I think :-(

    I will fire up my XG230 in the next few days on a new connection and see if it does it as well.

  • 0 in reply to M8ey

    New Internet Service Provider you mean ?  Is there a logical reasoning behind this or it's despair ?

    Paul Jr