Collecting and Downloading the bundle
If there is a need to review the log files from your data collector (VM), and the VM is still connected to Sophos Central, then you may accomplish this task by using the SDU application or download website and following the steps below.
-
Login to your Sophos Central account
-
Click on Threat Analysis Center
-
Click on Integrations
-
Click on Data collectors
-
Click on the Actions menu for the data collector you need the logs from
-
Click on Collect logs in the actions menu
-
Click the refresh button periodically until you see the log requested date appear in the table. This should happen fairly quickly, but could a few minutes depending on the log bundle size.
-
Click on the information icon next to the log requested date
-
Copy the log file name
-
Append the log file name to this string: https://sdu-feedback.sophos.com/sva-prod/
-
Use the full URL in the SDU download web application, or desktop application to download the compressed log bundle
-
Unzip the log bundle to view the log files
What’s in the log bundle?
Log File |
Type |
Description |
---|---|---|
reportSummary.json |
File |
This file contains information that provides a summary of the systems current state such as system resource usage, version numbers, and customer information. It also includes the status for each kubernetes pod. |
sensor-api.og |
File |
This file contains the log entrys from our Sensor API application. This application is basically the heart of the appliance and allows kubernetes pods to securely get system level information. It is also used by the Console UI application to securely perform system level tasks, and handles all data uploads to the S3 buckets in AWS. This file is useful when troubleshooting whether or not data is being uploaded to S3 for further processing. |
systemdata.txt |
File |
"This file contains a report of the datetime stamp from the OS, and outputs from the following commands. This is the majority of the information that will help with initial troubleshooting as it provides insight into pod statuses, system resource usage, running processes, and network interface configurations.
|
50-cloud-init.yaml |
File |
This file contains the network interface configurations as applied by the seed.iso file or the Console UI application after settings have been edited by the customer/support agent. |
override-values.yaml |
File |
This file contains settings that override the default configuration values for the kubernetes pods. This file should mostly be reviewed by the dev/engineering team, however it does contain entries that enable/disable the log collector and ndr features. |
console-ui.json |
File |
This file contains information that could be useful when troubleshooting a misbehaving Console UI. |
config.json |
File |
This file contains the log collector integration information that is applied to the VM. A quick review of this file is an easy way to determine if a configured integration from Central was successfully applied to the VM. |
filters.json |
File |
This file contains the filters used by the log collector agent to remove benign syslog messages that would otherwise increase AWS costs. |
podLogs/chi-dragonfly-clickhouse-simple-0-0-0.txt |
File |
This file contains the Clickhouse database logs from the Clickhouse DB Kubernetes pod. |
podLogs/cloud-agent-<container id>.txt |
File |
This file contains the logs for our Cloud Agent application which handles the websocket connection along with all Central communication. These logs are useful when troubleshooting if the applicance has properly registered with Central, is receiving new integration information, sending integration settings updates, and providing Central with both integration and VM statistics. |
podLogs/dragonfly-<container id>.txt |
File |
This file contains the logs for our packet processing application on the VM. These logs will be useful when checking if network packets are being received, if network packets are getting dropped, and if network flow information is being dropped. |
podLogs/dragonfly-css-container-<container id>.txt |
File |
The logs in this file belong to our Cluster Severity Scoring engine and can be reviewed to ensure that the application is functioning properly and checking for detections on a timed basis. |
podLogs/dragonfly-ids-container-<container id>.txt |
File |
The file can be reviewed if there is a concern with IDS alerts. It also contains stats for the IO message queues that move the flow information between application containers. If the customer VM is sized incorrectly you would see a full message queue in this log file. |
podLogs/dragonfly-ml-container-<container id>.txt |
File |
The file can be reviewed if there is a concern with ML container. It also contains stats for the IO message queues that move the flow information between application containers. If the customer VM is sized incorrectly you would see a full message queue in this log file. |
podLogs/nta-data-container-<container id>.txt |
File |
This log file will show if there are any issues getting the network flow data into the Clickhouse database |
podLogs/nta-detection-framework-<container id>.txt |
File |
This log file can be reviewed to ensure that the DDE plugins are running when they should, if any errors are occuring while running the plugins, and which plugins have been applied to the detection engine. |
podLogs/redis-master-<container id>.txt |
File |
This file contains the log output from the redis Kubernetes pod. |
podLogs/update-agent-<container id>.txt |
File |
This application is not yet finished, but will be post GA. Once this has been finished and is functioning properly this message will be updated. |
varLogs/clickhouse_install_output |
File |
This is the output from a Clickhouse helper Debian package that gets installed during the VM build process |
varLogs/cloud-init.log |
File |
This log is from the cloud-init application that runs during boot and reads the information from the ISO file that is packaged in the OVA file |
varLogs/alternatives.log |
File |
This is a regular Linux file |
varLogs/dmesg |
File |
This log file contains kernel-related messages retrieved from the kernel ring buffer |
varLogs/dpdk.log |
File |
This log file contains messages from the DPDK kernel module |
varLogs/lastlog |
File |
This is a regular Linux log file and contains a history of what users have logged into the OS and what time the login occurred. |
varLogs/ubuntu-advantage.log |
File |
Log file for Ubuntu Advantage, we do not use this |
varLogs/ubuntu-advantage-timer.log |
File |
Log file for Ubuntu Advantage, we do not use this |
varLogs/wtmp |
File |
A binary log file containing a history of all logins and logouts |
varLogs/ndrsensorapi/sensor-api.log |
File |
This is the original location of the Sensor API logs. |
varLogs/ndr-system-usage-reporter/system-usage.log |
File |
This file can be used to check if any errors are occuring with our system usage reporter. Checking this log file would help when troubleshooting why a VM wasn't properly reporting its system resource usage statistics. |
varLogs/pods |
Directory |
Original location of the kubernetes pod logs |
varLogs/dist-upgrade |
Directory |
Ubuntu distribution upgrade logs |
varLogs/private |
Directory |
|
varLogs/unattended-upgrades |
Directory |
Ubuntu unattended upgrade logs. We have this feature turned off so it doesn't conflict with our update process. |
varLogs/apt |
Directory |
Logs for the apt package manager |
varLogs/journal |
Directory |
Journalctl binary log files |
varLogs/landscape |
Directory |