HOW TO: Save the logs Sophos Support requests

So this was frustrating to figure out because I never really get any guidance from support on how to do this.  I think they are assuming everyone simply uses PuTTY for Windows or some other Linux client and everyone must know how to capture logs to a file, it's easy right?  OK well yeah it is, but here's the guide for people who don't know how now and still need to learn.  If you want to grab a log, use PuTTY.  I prefer the Bitvise SSH Client, but they don't have the same logging capabilities as PuTTY.

When you first run PuTTY, you get a window where you can type your host and connect.  But there's also a Logging area under Session you can configure to save the output of the entire session into a log file:

OK so click there and make the following changes:

I use "All session output" and you also have to change the location of the default log file name, or it defaults to the program location where no one has default write access (unless you run PuTTY as Admin).  So my Log file name is: C:\Users\chris\Documents\Putty logs\&H-&Y-&M-&D-&T.log  There's a legend for what those & global variables translate to.

You're going to login as admin.  If you want to paste your password in you can, just hit the right mouse button somewhere in the terminal screen if its in the clipboard.

Let's say you need to grab your awarrenmta.log file from /log folder.  to do this you're gong to need to enter the Advanced Shell.  Select #5 Device Management, then #3 Advanced Shell.  Be very careful in this area, if you do the wrong thing you could ruin your device and void your warranty.  However, digging through a log is something they make us do rather frequnetly at my shop.

So you advanced shell looks like this:

You're going to type the following commands:

cd /log
cat awarrenmta.log
cat awarrenmta.log.0

awarrentmta.log.0 goes back further than awarrentmta.log, but picks up where awarrenmta.log drops off.  When the system brings you back to the bash prompt, type exit, then hit 0 twice to leave the console.  This will close PuTTY and you'll have a nice large .log file to zip up and email to Sophos support.

Bon apetit!

  • Hi Chris,

    the other way could be to run a portable FTP server on your notebook and use ftpput on the XGs advanced Shell.

    using this method you don't need to wait for cat to display lots of log lines.

    see this Article for reference

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/73466/how-to-do-a-tcpdump-filedump-and-retrieve-it-by-ftp

    yours Lukas

  • In reply to lna:

    Right, thanks Lukas!  Any way that can be automated?  On UTM9 I could setup multiple log shipping options and then I'd planned to someday submit that to something like splunk to generate alerts for me.  However, I don't see that option in the XG interface.  I can work out how I might do that with some linux scripting, but I was hoping for an easier-to-manage UI element for my less Linux familiar support staff.

  • In reply to Chris Shipley:

    Hi Chris,

    i Think Splunk is Syslog-Aware

    Configure --> system services --> Log Settings --> syslog-servers [Add]

    Yours Lukas

  • In reply to lna:

    Splunk is nice,  but I understand their pricing targets organisation with thousands of users.

    Or am I wrong ? 

    Any other affordable solution ?

     

    Paul Jr 

  • In reply to Big_Buck:

    Hi Paul,

    try Sophos iview ;)

    or Graylog

    or push your syslog collected logs in a mysql db and script your own query tool.

     

    Yours Lukas

  • In reply to lna:

    lna

    or push your syslog collected logs in a mysql db and script your own query tool.

     

    This would be a great how to :)

  • In reply to Chris Shipley:

    Hi Chris

    I did this some time ago for Netscaler Syslogs.

    The Question was "which user has used which Published Citrix Application for how long"

    the on Board Reporting wasn't able to give this information but the Netscaler logging hat entries "icastart" and "icastop" which gave the needed information.

     

    Syslog-NG filters for this strings and pushes the given loglines into a Perl Script which does some StringMagic and splits the loglines to fit my DB sheme.

    Syslog-NG Config:

    filter f_netsc-session { filter(f_local0) and message('SSLVPN\s((ICASTART)|(ICAEND_CONNSTAT))'); };

    destination d_netscaler-session {program ("/***/*session_sql.pl");};

    log { source(net); filter(f_netsc-session); destination(d_netscaler-session);};    

     

    then i wrote some php fu to display and query the data

     

    Then - with some magic inbetween - you'll come from this logline

    'Jun  2 15:13:33 192.168.xxx.21 06/02/2015:15:14:04  ns 0-PPE-0 : SSLVPN ICASTART 619795 0 :  Source 192.168.xxx.233:53066 - Destination 192.168.xxx.35:2598 - username:domainname lna:xxxx.lan - applicationName STC-Icinga - startTime "06/02/2015:15:14:04 " - connectionId b54509';

    to this table

     

    simmilar things would be possible with firewall logs.

     

    Today i would use  the Syslog-NG's build-in databasehandle and do all "analytics" in Database or frontend.

     

    Yours Lukas