v17 RC-1 Log Viewer

Hi all,

The log viewer in RC-1 is a vast improvement however, it looks like it only auto updates at the 1 minute interval unless you push the refresh button. I do not see a way to change that to a lower value like in v16. Maybe someone from Sophos can chime in and let us know if this is by design or will be changed.

  • Hi  

    This is by design. The refresh button allows you to update the logs at will therefore auto-refresh value of the logs is no longer configurable via UI. You can create a Feature Request for this in the forum if you'd like. Since v17 is still in the beta stage, features can still change along the way and as the Product Manager mentioned in his post, the Community Forum and ideas.sophos.com play a huge role towards this. 

    Cheers,

    Karlos

  • In reply to Karlos:

    Hi

    Thank you for clarifying that it is by design. I will open a feature request, however I feel I shouldn't have to as this is something that was already in the product that was removed. I realize the log is different now and greatly improved but I can't understand taking features away from the product.

  • In reply to MichaelBolton:

    Hi,

    According to the software I installed this is RC1 not beta 2, so  the logs should be close to the final form.

    I find the web log a little strange, it has red and green icons. I would have thought a red icon would indicate a site is blocked, but on my XG RC-1 it shows as allowed?

    Ian

     

    What is the difference between firewall rule and rule type in the system report? My MAC seems to be generating a large number of dead connections.

  • In reply to Karlos:

    Hi  &

    Yes, apologies. So used to calling v17 Beta :p

    It is in Release Candidate Stage so what you see now, will be very close to the official v17. 

    Sometimes features will need to be replaced to make room for improvements, but as I mentioned, feedback is always welcome, including feature requests as it can be included in future releases. 

     green should mean allow and red - blocked in the web filter log viewer. Did some testing with two different XG's in RC-1 and the colors were displaying normally. Try a restart and if necessary factory reset and let me know if the issue persists.

    Thanks,

    Karlos 

  • In reply to Karlos:

    1. Karlos, red and green definitely not working like that in web filtering. In firewall logs they do work as red and green as you pointed out. I thought maybe they were related to the application risk but that doesn't seem to be the case. Then I thought port 443 was green and port 80 was red but no its red and green

     

    2. Another issue I have is with the filter button. I am used to clicking the arrows and the filter button has two actions, filter logs and time frame filtering. However I kept on using the search function to look for denied logs since the filter button is a little un intuitive. Nothing I can't live with.

    3. The live logs should definitely load like they do in UTM9. I am so used to generating traffic and looking at the live logs in SG that it seems odd to click on refresh button. 

    Overall very nicely done and probably makes the v17 upgrade seem worthwhile.

    Regards

  • In reply to Billybob:

    Hi  

    Thanks for the feedback. 

    I tested with multiple blocked sites in our lab environment and Web Filter logs is displaying normally. If you can restart also or try flushing Device Reports (SSH: option 5 then 4), please let me know if it still persists.

    Cheers,

    Karlos

  • In reply to Karlos:

    Seems like a bug. Flushed and rebooted but still random red and green. All the denied are all red but allowed have some red icons. 

    I did a clean install from ISO in hyper-v so I didn't have any large logging databases. I created a couple of rules for testing in my lab and my appliance is not registered.

    The red icons are not random. They always happen on the same website eg. bitdefender.com always has red icon although it is allowed in my case.

    Thanks for your assistance.

  • In reply to Billybob:

    Hi,

    on my test XG, the same site produces red and green icons, the difference being the sub page on the website.

    Ian

     

    @Bill, looks like your gues about http and https was partially correct. Most of the red allowed are for http sites, some (very small numbers) are red https allowed sites.

  • In reply to rfcat_vk:

    Hi  ,  &  

    I will bring up the below points to our v17 team and update this thread once I have further info. 

    1. Refresh rate for Live Logs - whether 1 minute is default or if it should be a Live Feed

    2. Green and Red icons displaying incorrectly for certain sites

    Cheers,

    Karlos

  • In reply to Karlos:

    Thanks karlos, they already have my login credentials on this thread https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/96650/numerous-could-not-associate-packet-to-any-connection-messages-in-the-firewall-log/351813#351813 so if someone needs to login to check the green and red icons, this would be a good time.

    Regards.

  • In reply to Billybob:

    Can you let me know what websites you are using the generate the red/green?

    Is it at all possible that the Red icons are things that errorred or that had a far server problem (eg the far server responded 403)?

     

    Just in case this is a browser caching the wrong image (which I doubt) - can you clear your browser cache and/or do a control-F5 for a complete page refresh.

     

  • In reply to Michael Dunn:

    I should talk to my team before posting.  :)

    Icons being incorrect is a known issue.  Tracked in NC-22385 and NC-22549.  In progress of being fixed but I don't have ETA.

  • In reply to Michael Dunn:

    for me bitdefender.com is always red and the website works. I noticed that because I use their AV on my lab PC and was getting a lot of red allowed. I then tested with their website and same result.

    Edit: Do most of my testing in incognito mode to get away from plugin and caching issues.

  • In reply to Billybob:

    In addition to adding more automatic refresh interval (5 seconds should be the minimum as before), I still see that in Sophos the Alphabet is not used in Menu. Also IPS and SYSTEM are in uppercase.

    Instead of going ahead, we are going back!

    What's wrong with you Guys?

  • In reply to lferrara:

    Also,

    for the web filter section, make sure that the url fits in the display page (2 or more lines). Using the horizontal scroll bar is not very useful.

    Look at the screenshot.