Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html

  • Thank you, even though  my report disk was only 10% my reports had stopped from the early on the 14th.

    Restarted garner and reports are being generated again.

    Ian

  • In reply to rfcat_vk:

    Hi,

    the fix appears to have fixed everything except mail. While today's mail shows in logviewer, none of yesterday's mail does even after the garner restart. The Reports -> mail in the GUI is empty for today 16th April.

    Ian

     

    Update:- 1100 16/4 a miracle has happened, I now have mail reports.

  • In reply to rfcat_vk:

    Something went very badly wrong. Today's report was missing details about user activity.

    I have restarted the XG to see if that fixes the issue tomorrow morning.

    Ian

  • In reply to rfcat_vk:

    Hi,

    I am happy that this solution is worked for you!

  • In reply to Deepak Verma:

    After some days, logs stopped again; after using command service garner:restart -ds nosync it fills up again.

    It happend after 17.5 MR4; now using MR4-1; but sill stopping after a few days

  • In reply to PRC_N:

    Do your daily reports show your user activity? Also after a restart to get user activity reported I am seeing data from the previous day eg the device was not on the network yesterday.

    Ian

  • In reply to PRC_N:

    Hi,

    Please book a ticket with TAC team. I am investigating the issue on my firewall.

  • In reply to Deepak Verma:

    [#8781763] Web support ticket.

  • In reply to PRC_N:

    Garner is the "center daemon" for logging. So if this daemon dies, your logging stops. 

     

    https://community.sophos.com/kb/en-us/126722

    Maybe for your Information. 

  • In reply to LuCar Toni:

    The question is why after the upgrade has it stopped? Why does it take a restart to get all the reports working again eg user activity? 

    Until the upgraded I had not experienced any issues with the garner process.

    Ian

  • In reply to rfcat_vk:

    Hi we have a similar issue. Our logs stopped working too. We also saw issues with CPU usage where a reboot clears it but after about 2 days CPU usage jumps by an extra 30%+ after a few days. I have been told that our CPU usage is normal even though before the update it was nowhere near that high and Sophos have connected in and seen the Garner daemon at 99% on 1 core.  No matter how much I try to tell them something is wrong they are just more interested in closing the case.

  • In reply to Pwc:

    Hi Pac,

    I would find that response a little strange, since MR-4 my memory usage has dropped from 55% to 47% consistently and CPU is about the same 3-12%.

    Sounds like you might have a corrupt reporting database?

    Ian

  • In reply to rfcat_vk:

    Hi memory usage has been fine. They have already been in and fixed the DB errors and say there are no more issues. When I get chance I am going to check if the garner service is back at 99% usage again.

  • In reply to Pwc:

    Broken again sometime yesterday. I have a small amount of data from yesterday and nothing in the GUI this morning.

    I am going to restart the XG to see if that quickly fixes the issue.

    Ian

     

    Update:- restart fixed the reporting and logging issues. Why was a restart required?

  • In reply to rfcat_vk:

    Hi,

    What is Firmware version and Did you tried with Flush complete Reporting? If you faced any issue next time then, please collect some command output as 

    system diagnostics show subsystem-info

    show on-box-reports

     

    Below articles will help you:

     https://community.sophos.com/kb/en-us/123209

    https://community.sophos.com/kb/en-us/132211