This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

logging: heartbeat vs fwcm-heartbeatd, 500 Opcode Failed

Sophos Support today told me, they wanted but cannot enable fwcm-heartbeatd debug logging. The service is at status: UNREGISTERED

service fwcm-heartbeatd:debug -ds nosync

500 Opcode Failed

From https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogFileDetails.html

fwcm-heartbeatd should be "Heartbeat to Sophos Central communication service". The log is empty/blank.

So is this service and logging not enabled as default in v18 MR5?

XG430_WP02_SFOS 18.0.5 MR-5-Build586# service -S |grep heartbeat
fwcm-heartbeatd      UNREGISTERED,DEBUG
heartbeat            RUNNING

All three fwcm- logfiles are empty and the services are UNREGISTERED.

XG430_WP02_SFOS 18.0.5 MR-5-Build586# service -S |grep fwcm
fwcm-updaterd        UNREGISTERED
fwcm-heartbeatd      UNREGISTERED,DEBUG
fwcm-eventd          UNREGISTERED

Our firewalls are registered in Central. Now support want's us to unregister, then reregister both appliances.

The register status currently shows:

XG430_WP02_SFOS 18.0.5 MR-5-Build586# central-register -status
This SFOS instance is currently registered with Sophos Central

  access_token        : c7xxxxxx
  device_uuid         : ed9xxxxxxx
  pic_uri             : utm-cloudstation-eu-central-1.prod.hydra.sophos.com
  refresh_token       : ALWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



This thread was automatically locked due to age.
  • Hello LHerzog,

    Thank you for contacting the Sophos Community.

    The service should be registered and running, which is why I believe they’re asking you to de-register and re-register the device so the services are forced to restart.

    You can check the fwcm-eventd.log for the entry fwcm-updaterd stopped or something along those lines. This will show you the time the service failed.

    Could you please share your Case ID, and is this device part of HA?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • thanks for your explaination. Case is 04121743 and it's HA. I think, we're currently for months on the "other node" as when we enabled central integration.

  • those fwcm logs are all completely blank.

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# ls -li /log/fwcm-*
    6815873 -rw-r--r--    1 root     0                0 Jan 15 10:17 /log/fwcm-eventd.log
    6815871 -rw-r--r--    1 root     0                0 Jan 15 10:17 /log/fwcm-heartbeatd.log
    6815872 -rw-r--r--    1 root     0                0 Jan 15 10:17 /log/fwcm-updaterd.log

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# cat /log/fwcm-*.log
    XG430_WP02_SFOS 18.0.5 MR-5-Build586#

    and they are blank on the other HA node as well:

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# ls -li/log/fwcm-*
    18350209 -rw-r--r--    1 root     0                0 Jan  8 12:37 fwcm-eventd.log
    18350207 -rw-r--r--    1 root     0                0 Jan  8 12:37 fwcm-heartbeatd.log
    18350208 -rw-r--r--    1 root     0                0 Jan  8 12:37 fwcm-updaterd.log

  • turned out, the command I got from support to enable debug was just wrong. It was also wrong, when they tried to shoot this command from remote CLI. And as a result of this, I was asked to remove the Firewall from Sophos Central...

    I'm sad, this matches to the overall impression I have from support.

    this works:

    service -t json -b '{"debug":"2"}' -ds nosync heartbeat:debug

    this not:

    service -t json -b ‘{“debug”:”2”}’ -ds nosync heartbeat:debug

    Result is

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# service -t json -b '{"debug":"2"}' -ds nosync heartbeat:debug
    200 OK
    { "trace": "on" }

  • Hello LHerzog,

    Thank you for the feedback I have passed this to the Manager and the owner of the case, it seems the formatting of the symbols (') (") might have changed once the engineer copied the command to the email, however, the engineer should have double-checked before sending the command.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you emmpsophos. Maybe, but if your supporters execute those commands through the remote access tunnel, they should get it done.