Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 16813 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logs deleted from Cache on Reboot, how can I get these written to disk when they appear or in a time period?

Emile Belcourt

I've just found out from the training the following:

The logs are stored in a first in first out (FIFO) cache, with up to 1,100 logs per module being stored. When the cache for a module reaches this limit, the first 100 logs are deleted. The cache is also cleared when the firewall is rebooted.


Right...ok...so in the event of a power outage I lose those logs. So how can I get these written to disk permanently rather than to the RAM because that is a priority 1 issue, I need to find out what's been happening leading up to a hardware failure or otherwise to glean what the problem was?



This thread was automatically locked due to age.
Parents
  • 0
    There are settings to have the XG send it logs to a remote syslog server. Have you looked into iView2 and/or Sophos Firewall Manager to see if this will meet your needs. Also you could just have it send its logs to any devices that accepts syslog.

    Hope this helps
Reply
  • 0
    There are settings to have the XG send it logs to a remote syslog server. Have you looked into iView2 and/or Sophos Firewall Manager to see if this will meet your needs. Also you could just have it send its logs to any devices that accepts syslog.

    Hope this helps
Children
  • 0 in reply to rrosson
    Having it routing to a separate system is not the question here, I'm more concerned with the logs on the firewall itself.

    In the event of a malicious third party it can be made much harder to remove logs from a Firewall unit than a remote server. But now, if someone onsite were to screw with the network, they just need to initiate a power failure and those logs are lost.

    Sophos is big on it's "all on one box" as it was with UTM v9 but now I have to have a separate server for remote logging?
Unfiltered HTML