This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local Logs - > Settings -> Enabled - but not working.

I send my UTM logs through to my Splunk install.
Today I noticed that the UTM has not been sending any logs through since Nov 1 2019.


On the View Logs Files screen all the logs are "0 bytes" in size
Using the Web interface, I disable then re-enabled the logging and nothing changed. (still no logging)

I did some searching on this forum, and found some cli commands, so I logged to the UTM, and
first did an ls -al *log on the /var/log folder
-rw-r--r-- 1 root log 0 Jan 28 12:40 afc.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 aptp.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 aua.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 boot.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 confd-debug.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 confd.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 dhcpd.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 epsecd.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 fallback.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 html5vpn.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 httpd.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 http.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 ips.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 kernel.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 logging.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 login.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 mdw-debug.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 mdw.log
-rw-r--r-- 1 root log 686 Jan 28 12:40 mg-agent.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 named.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 notifier.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 packetfilter.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 pppoe.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 red.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 reverseproxy.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 selfmon.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 service_monitor.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 smtp.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 sshd.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 system.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 up2date.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 webadmin.log
-rw-r--r-- 1 root log 0 Jan 28 12:40 wireless.log

I then ran the following commands..

astaro:/var/log # /etc/init.d/syslogng status
:: Status Logging unused

astaro:/var/log # /etc/init.d/syslogng restart
:: Stopping Logging done
:: Starting Logging done
:: Restarting Logging

astaro:/var/log # /etc/init.d/syslogng status
:: Status Logging unused

astaro:/var/log # /etc/init.d/syslogng configtest
:: Testing Logging configuration/etc/init.d/syslogng: line 29: 8921 Bus error (core dumped) $SYSLOGD -s $SYSLOGD_OPTS failed

I the had a quick look at the /etc/init.d/syslogng line 29, and I'm not seeing anything unusual there.

------ start of file -----------
#!/bin/bash
# Copyright (C) 2000-2011 Astaro AG
# For copyright information look at /doc/astaro-license.txt
# or www.astaro.com/.../astaro-license.txt
#
# Maintainer: Christoph Moench-Tegeder <cmoench@astaro.com>
#
### BEGIN INIT INFO
# Provides: syslog
# Required-Start: $local_fs
# Required-Stop:
# Default-Start: 2 3
# Default-Stop: 0 6
# Description: Start the syslog-ng and klogd daemons
### END INIT INFO

. /lib/lsb/init-functions

# First reset status of this service
rc_reset

PATH=/sbin:/bin:/usr/sbin:/usr/bin
PNAME="Logging"

SYSLOGD="/usr/sbin/syslog-ng"
SYSLOGD_OPTS=" -f /etc/syslog-ng.conf"
NOSELFM="/etc/no-selfmonitor/syslog-ng"

case "$1" in
start)
echo -n ":: Starting $PNAME"

if checkproc $SYSLOGD; then
rc_status -s
echo "already running!"
exit 1;
fi

if [ ! -f /etc/syslog-ng.conf ] ; then
cp /etc/syslog-ng.conf-minimal /etc/syslog-ng.conf
fi

## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
startproc -f $SYSLOGD $SYSLOGD_OPTS 2> /dev/null
# Remember status and be verbose
rc_status -v
# activate selfmonitoring
rm -f $NOSELFM
;;
stop)
echo -n ":: Stopping $PNAME"
# deactivate selfmonitoring
touch $NOSELFM
killproc $SYSLOGD >/dev/null 2>&1
# Remember status and be verbose
rc_status -v
while pgrep -c syslog-ng > /dev/null ; do sleep 0.25 ; done
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
echo -e ${attn}":: Restarting $PNAME"${norm}
# Remember status and be quiet
rc_status
;;
force-reload|reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
echo -n -e ${attn}":: Reconfigure $PNAME"${norm}
killproc -HUP $SYSLOGD ; rc_status -v
;;
status)
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.

# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running

# NOTE: checkproc returns LSB compliant status values.
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.

echo -n ":: Status $PNAME"
checkproc $SYSLOGD
rc_status -v

#echo -n "Checking for service klogd: "
#checkproc $KLOGD
#rc_status -v

;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
echo -n ":: Probe for reload of $PNAME"
rc_status -v
test /etc/syslog-ng.conf -nt /var/run/syslog-ng.pid && $0 reload
;;
configtest)
echo -n ":: Testing $PNAME configuration"
if ! $SYSLOGD -s $SYSLOGD_OPTS; then
rc_failed 1
fi
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe|configtest}"
exit 1
;;
esac
rc_exit
------- cut file here --------------

So I did some more digging, and noticed there's a new update for the UTM. Firmware version: 9.701-6 (I was on 9.700-5. )
So I manually downloaded the latest and applied it. All installed fine, and the system rebooted.

I then rechecked the logs, and unfortunately logging is still not working.
I re-ran the /etc/init.d/syslogng commands and got the same results as above.

For the record disk space is not an issue
astaro:/var/log # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda6 5.2G 2.7G 2.3G 54% /
udev 2.0G 96K 2.0G 1% /dev
tmpfs 2.0G 48K 2.0G 1% /dev/shm
/dev/sda1 331M 16M 295M 5% /boot
/dev/sda5 40G 4.6G 33G 13% /var/storage
/dev/sda7 52G 387M 49G 1% /var/log
/dev/sda8 2.4G 4.7M 2.3G 1% /tmp
/dev 2.0G 96K 2.0G 1% /var/storage/chroot-clientlessvpn/dev
tmpfs 2.0G 0 2.0G 0% /var/sec/chroot-httpd/dev/shm
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-openvpn/dev
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-ppp/dev
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-pppoe/dev
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-pptp/dev
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-pptpc/dev
/dev 2.0G 96K 2.0G 1% /var/sec/chroot-restd/dev
tmpfs 2.0G 0 2.0G 0% /var/storage/chroot-reverseproxy/dev/shm
/var/storage/chroot-smtp/spool 40G 4.6G 33G 13% /var/sec/chroot-httpd/var/spx/spool
/var/storage/chroot-smtp/spx 40G 4.6G 33G 13% /var/sec/chroot-httpd/var/spx/public/images/spx
tmpfs 2.0G 84K 2.0G 1% /var/storage/chroot-smtp/tmp/ram

The server/appliance that is running the UTM, has been inplace since 2015 and is a Netgate RCC-VE 2440

Thoughts, suggestions, help, greatly appreciated.

Trevor..



This thread was automatically locked due to age.
Parents
  • I've not heard of this before, Trevor - do you have a paid license for this device so that you can get Support to take a look at it?

    If not, my first try would be to rebuild the PostgreSQL data bases (deletes history in Reporting):

    /etc/init.d/postgresql92 rebuild

    If that doesn't work, I'd be tempted to get a few backups off the device and re-image it.

    Please let us know what happens.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,  (long time no speak)

    No licence, its a home version licence.

    I tried your suggestion of doing the postgresql reset, and got the following

    ---- code ---

    astaro:/ # /etc/init.d/postgresql92 rebuild
    Rebuilding PostgreSQL database, all reporting data will be lost!
    Enter "yes" to continue...
    yes
    :: Stopping PostgreSQLpg_ctl: PID file "/var/storage/pgsql92/data/postmaster.pid" does not exist
    Is server running?
    failed
    :: Initializing the PostgreSQL databaseFATAL: could not load library "/usr/pgsql92/lib/utf8_and_win.so": /usr/pgsql92/lib/utf8_and_win.so: cannot read file data: Input/output error
    STATEMENT: CREATE OR REPLACE FUNCTION utf8_to_win (INTEGER, INTEGER, CSTRING, INTERNAL, INTEGER) RETURNS VOID AS '$libdir/utf8_and_win', 'utf8_to_win' LANGUAGE C STRICT;

    child process exited with exit code 1
    initdb: removing contents of data directory "/var/storage/pgsql92/data"
    done
    :: Starting PostgreSQLpg_ctl: could not start server
    Examine the log output.
    failed
    :: Restarting SMTP Proxy
    :: Stopping SMTP Proxy
    cat: /var/chroot-smtp/tmp/ram/pid/sandbox_watcher: No such file or directory
    [ ok ]
    :: Starting SMTP Proxy
    [ ok ]
    [ ok ]

    --- end code ---

    I then looked at the Webadmin -> view log files and the log files are still blank.

    I also tried a reboot of the device, and then tried the command again.

    Still no luck.

    I'd like to try to avoid the rebuild of the server, as I have to setup a headless install, and it's been quite a while
    since I've done one of those, and I'm not sure how well it would work since all the changes since Astaro became Sophos.

    I did a quick tail on tail /tmp/postgres.log
    postgres cannot access the server configuration file "/var/storage/pgsql92/data/postgresql.conf": No such file or directory

    I did a quick search for the postgresql.conf and none on the system..??
    Actually the "/var/storage/pgsql92/data" folder is empty (I did a quick comparison between mine and a friends unit)

    Ok, the rebuild command has a "removing contents of data directory "/var/storage/pgsql92/data"
    which removes the config file, and other files, that it looks like it needs to start, PG_VERSION.. etc..

    At this point there looks like there are too many files missing for me to rebuild, (unless I take a backup from 
    friends unit of the /var/storage/pgsql92/data folder.)

    Thoughts on an easier way, re-install/repair of the pgsql92

    Trevor..

  • Almost two years ago, MattS1984 posted:

    If there's an error that database reporting doesn't exist

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32257/error-database-reporting-does-not-exist

    # su postgres /var/storage/pgsql92/init/reporting_db_init.sh

    Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • Hi again.

    That didn't work,

    astaro:/root # su postgres /var/storage/pgsql92/init/reporting_db_init.sh
    psql: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
    createdb: could not connect to database template1: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
    psql: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
    psql: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
    psql: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

    I'm thinking of doing a rebuild this weekend, (It might be quicker)
    as I'm noticing other things not working, ie: Mail Manager, not showing any history either.
    (Yes, their tied together). 

    Trevor..

    PS. Interesting side note, I've ticked the notify me when someone replies to this post,
    but I'm not getting any emails.

  • Hi again.

    I did a rebuild from the latest iso, and re-applied the latest backup,
    and all is now working properly.

    It was probably time I did a rebuild, as the Netgate RCC-VE 2440 box that's running
    the Sophos UTM, has not had a clean-rebuild since April 2015. So 5 years of constant
    inplace upgrades without any issues is pretty awesome.

    Side Note - More Awesomeness :- The original script (asg2asi.sh) to setup a
    headless install still works on the latest isos, (asg-9.701-6.1.iso).

    As always, thanks for all the assistance.
    Trevor..