Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html

  • Another Customer with the issue, box was freshly built this morning and backup file applied. 7 hours to failure.

    Emile

  • Problem appeared on all firewalls here.  No email notification + No logs.

    With absolutely no fix at the horizon.  MR4 + MR5 + MR6 took months. And everything is still problematic.  So ...

    Paul Jr

  • In reply to Big_Buck:

    At the moment I have disabled alerts which have not functioned correctly for sometime. I get daily reports and backups emailed to me.

    The good news so far is no garner crashes.

    Ian

  • Hi,

    As my closing comment on this issue that this is happening due to some instability issue and it will go away if you will disable the Email Notification for IPSec  Tunnel up/Down and Email Later for Login failure (as per shown in the Picture). 

      

  • In reply to Deepak Verma:

    Hi,

    that is not a fix, but a temporary work around that does not offer solution to the missing services. It is not an instability issue, but a software issue that should have been fixed in MR-6 as promised.

    Ian

     

    edited layout, something went wrong with the page load.

  • In reply to rfcat_vk:

    rfcat_vk
    that is not a fix

     

    +1

    But at least Garner has remained up for now. Better to have it working that the need for that email notification.

  • In reply to M8ey:

    However, there’s a need  to maintain a log book of all those temporary work-arounds on all  appliances, since they last months.  Our customers do not pay for that.

    Paul jr

  • In reply to M8ey:

    Anyone has an update on this ?

    Paul Jr

  • In reply to rfcat_vk:

    Its actually not even a temporary work around.

    IPSec data is not being written to the system log.

    So if an IPSec tunnel drops and reconnects, there are no log messages, even though the Firewall logging is working.

     

    Need some way of extracting the console logs. Having a major Azure issue at present.

  • In reply to GavinDaniels:

    You could get brave, enable the logging and create a batch run the restart garner each night.

    Ian

  • In reply to rfcat_vk:

    Hey there.

     

    No use doing something to restart the Gartner service when the IPSec logs are not being written when it is already running.

     

    Something has changed from 17.5.4 to 17.5.6 to break that

  • In reply to GavinDaniels:

    Hello Gavin,

    If you are not getting any IPSEC log lines in the SYSTEM log comp then yiu have a different problem than this issue and should contact support. This Garner issue is for all logs or none at all.

    Not had any issues with IPSEC logs being written noticeably on any of mine/customer firewalls.

    Emile

  • In reply to EmileBelcourt:

    Hi,

     

    Already have a support ticket in the system,

    Its just that this customer uses the IPSec connections a lot, so not logging really stood out.

     

    Originally had the Gartner issue, and after disabling notifications and restarting, the firewall is now logging. but trying to track an azure issue without logs is difficult.

     

    Regards

     

    Gavin

  • In reply to EmileBelcourt:

    Silly question ... How many customers do you maintain ?  For statistic purposes.

    Here, I do not have to restart garner that much.  I presume it is related to the quantity of logs generated, and maybe to the speed the appliance manages these logs.  I say that because or appliances are overkill and we have few users.  Their web activities being mostly mails.  We have have IP telephony.  This generates "A LOT" however.

    Paul Jr

  • In reply to GavinDaniels:

    Hello Gavin,

    PMed you regarding the Azure issue.

    @Buck

    We do not actively maintain Customers as we are not an MSP but we have Support contracts for around 75 of our Customers. However, we are a ProServices outfit as well and i install between 2 and 4 Customer appliances/endpoint software a week (discounting multiples in the same sitting).

    I have seen this on about 30% of our Customers on 17.5.5/6 and around the same percentages on my installations. I do regularly enable the alert notifications but since this issue i have stopped.

    Emile