Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1974 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shutdown LOG Sophos XG Firewall

Christian Falcone

Hello everyone, I am a happy system of a Sophos Firewall XG 18 X-Stream,

which some nice bumblebee on Friday 08 August decided to brutally shut it down.

I would like to know on which LOG the Sophos Firewall writes the shutdown, and with which wording it is written in the LOG file.

Also, is it also written if the Firewall has been brutally shut down (example: the power fails)?

Thanks for the reply,

Best Regards Christian



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Run the following command to find the time stamp for restart/shutdown:

    • grep -i "BusyBox" /log/syslog.log

    Note down the time and use "less" command to view the logs as one page at a time, and check the logs lines before the line with "BusyBox"

    I restarted my firewall to capture these sample logs: 


    Aug 10 00:00:05 (none) user.err kernel: [2379190.372697] 774:appdev_release:dev open 0
    Aug 10 06:20:10 (none) daemon.info init: System will reboot
    Aug 10 06:20:10 (none) daemon.info init: The system is going down NOW!
    Aug 10 06:20:10 (none) syslog.info syslogd exiting
    Aug 10 06:21:50 (none) syslog.info syslogd started: BusyBox v1.21.1
    Aug 10 06:21:50 (none) user.notice kernel: klogd started: BusyBox v1.21.1 (2021-03-27 06:38:48 UTC)
    Aug 10 06:21:50 (none) user.notice kernel: [ 0.000000] Linux version 4.14.38 (jenkins@ci-36) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 8701-gef6204d52)) #2 SMP Sat Mar 27 09:21:40 UTC 2021
    Aug 10 06:21:50 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_0_5_574 quiet console=tty0 console=ttyS0,38400n8

    Thanks,

  • +1 in reply to FormerMember

    Just to add this: If you "kill" the appliance via power supply. The logs will actually not be wirten, because the appliance does not shutdown, instead it will simply "be off". So the next entry you see are the "Busybox" entry as this is the first entry written by the Kernel. 

  • 0 in reply to FormerMember

    Thanks for the reply, it was very useful! Immediately filed in my solutions!

  • 0 in reply to FormerMember
    There is one more question,
    how can I tell if the firewall has been shut down remotely or locally?
    In the case of remote, can I trace the account or IP?
    Thank you

  • +1 in reply to Christian Falcone

    Hello Christian,

    You can grep on the CSC.log for the following entry:

    # grep "shutdown_appliance" csc.log

    It will provide the input below, the bolded text tells you what IP shutted down the system, you will see either a Public IP or Private IP depending it if was Remote or Local

    {"method":"opcode","name":"shutdown_appliance","version":"1.6","type":"json","length":344,"data":{ "currentlyloggedinuserip": "216.232.99.199", "APIVersion": "1800.2", "___serverprotocol": "HTTP", "___serverip": "172.16.15.254", "___meta": { "sessionType": 1 }, "reason": "testtesttest", "currentlyloggedinuserid": 3, "___username": "admin", "___serverport": 4444, "transactionid": "1234", "___component": "GUI", "reboot": "0", "mode": 193 }}}

    Regards,

  • 0 in reply to emmosophos

    Thanks for your valuable reply, it was very helpful to me! Greetings, Christian