Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html

  • In reply to EmileBelcourt:

    Hi

    @Emile Have responded to PM

     

    @Buck Have 15 which I manage, most are running 17.5.4 MR4 at present and will be staying there until this is resolved. Have had no Gartner logging issues with any of them, but most of them do not produce a large volume of logs per day. All are a minimum of an XG125, with a couple of XG210 and a XG310

     

    I only upgraded 2 units to MR6 due to the listed IPSec fixes related to connection rekey issues believing it may assist with the Azure issue. But without logging it is really difficult to resolve.

    There needs to be a way of getting the console logs out, but I cant seem to find one.

     

    Regards

    Gavin

  • So.  Regarding this thread -> Logs are not updating on the GUI "Log Viewer".

    Anyone have seen anything improving with MR7 ?

    As a reminder, this post was started on the 13-04-2019.  For a log problem that started a little earlier.

    Paul Jr 

  • Besides the fact that logs may not be updating, I have hit this today.  I have a rule, let's call it "36" that allows a server to validate a certificate somewhere on the web.  I disable it, it cannot validate.  I enable it, it does.  Simple.  Well.  Filtering with "Firewall Rule = 36" indicates XG's logs have no clue firewall rule 36 exists.  nada. niet nothing.  Filtering logs with that server's ip shows it never ever whatever uses rule 36.

    Also, in the "Firewall" menu, you could see the rule would allow traffic "in x.xx MB, out x.xx MB". Another indication that rule actualy does something.

    Navigating blind I presume.

    Logs viewer in XG requires entire re-write.

    Paul Jr

  • In reply to Big_Buck:

    Hi

    I have also got the somehow the same issue Sophos XG750 ie. if I am enabling email notification in System>Administration> Notification Setting  my box garner service gets stops after few hrs. And after disabling email notification and restarting of garner service , log and report are coming fine.

     

    I raise this issue and checking the box log by GE support team, they  installed a patch called "libeximmailclient"   and now i am able to see the log in log vieiwer and reports also.

     

    Thanks to the sophos GE support team.

  • In reply to Ravindra Jangir:

    You resultant fix leads to a question as to why it has not been deployed as a hot fix to all XG boxes?

    Ian

  • In reply to rfcat_vk:

    May be it depend what kind of issue actually we facing.

    After checking below output they decided to patch it:

    (gdb) bt

    #0  0xf732e471 in poll () from target:/lib/libc.so.6
    #1  0xf72572cf in ?? () from target:/lib/libpq.so.5
    #2  0xf72571b0 in ?? () from target:/lib/libpq.so.5
    #3  0xf725709a in ?? () from target:/lib/libpq.so.5
    #4  0xf7257062 in ?? () from target:/lib/libpq.so.5
    #5  0xf7253457 in PQgetResult () from target:/lib/libpq.so.5
    #6  0xf7253ae1 in ?? () from target:/lib/libpq.so.5
    #7  0xf7253753 in PQexec () from target:/lib/libpq.so.5
    #8  0xf6f99679 in process_pgsql_query (conn_handle=0xa2100a8, query=0xffd65688 "END;", r_set=0x0) at postgres_db.c:585
    #9  0xf6f99a86 in end_transaction (conn_handle=0xa2100a8) at postgres_db.c:701
    #10 0xf6f9a26b in move_table_to_usedqueue (db=0x9e55234, table=0x9e55220) at postgres_db.c:927
    #11 0xf6f943fb in oppostgres_event (handle=0x9ed7f90) at oppostgres.c:477
    #12 0xf6f94253 in oppostgres_output (searray=0xf44de008, nse=1, output_data_list=0xffd667b8, handle=0x9ed7f90) at oppostgres.c:435
    #13 0x08051844 in check_conditions ()
    #14 0x080518e5 in check_conditions ()
    #15 0x080519de in process_std_events ()
    #16 0x08051a71 in ?? ()
    #17 0x08052309 in handle_accept_udp ()
    #18 0x080542b5 in do_epoll ()
    #19 0x08054717 in parent_main ()
    #20 0x080550dc in garner_main ()
    #21 0x08055113 in main ()

  • In reply to Ravindra Jangir:

    I would be surprised seeing the issue is temporarily resolved by disabling certain notifications.

    Ian

  • In reply to LuCar Toni:

    This KB is added newly, it was not there before.  I raised this issue on 17-July-2019 and patched installed on 19-July-2019 on my device (XG750)

  • Hi,

    There is no improvement on SFOS 17.5.7 MR-7 and as per community post, Sophos is will fix this issue in release version 18.  

  • In reply to Deepak Verma:

    I would not bet anything on this ...  We are way too far for v18.  The beta has not even been released.

    There will be an MR8.  And MR9. et.c.

    My two cents.

    Paul Jr.

  • In reply to Big_Buck:

    KBA clearly state:

    https://community.sophos.com/kb/en-us/134173

    Current Status

    This is a known issue , patch is available .

    Affected customers could contact support for installing the patch .

    The issue would be fixed in the next maintenance release v17.5 MR-8 .

  • In reply to LuCar Toni:

    Hello Lucar

    Thanks for answering and helping.

    Are you refering to the general log viewer problem or the more specific one I have mentionned on the 2019-7-18 8:57 PM (rule 36 not showing) ?

    I've raised a case many months ago regarding a very similar issue.  A cleanup rule not showing.  Sophos never solved it.  The nonsense way rule 0 behave is normal to them.  I toasted many hours on that one too.

    As KB134173, it should not be, but everyone who owns a Sophos XG already knows the command "service garner:restart -ds nosync" by now ...

    Paul Jr 

  • I have a similar problem with the live log viewer.

    nog logs are being showed, after a reboot / upgrade last wednesday to firmware version 17.5.7 the live log viewer worked for 3 hours and then stopped again with the logging.
    hard drive has space enough.

     

  • In reply to Kevin Paulusse:

    You can try this workaround, just disablemail notification and restarting of garner service then check log and report are or not.