Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 41 subscribers
  • Views 3375 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

View logs in Central Firewall Reporting

djb-sophos

Hello.

Sophos Firewall 18.5.1.

I recently changed every log type to log to "Central Reporting". The entire "Local reporting" column is empty. Before doing this I used to be able to go to the Sophos Firewall and click Log Viewer at the top right and view logs, almost in real time. I used this method to troubleshoot WAF errors. I have learned that having "local reporting" enabled eventually fills up the "report" partition which, according to documentation will eventually fill itself up and if it goes over 90% full, "the report database service is possibly dead" (https://support.sophos.com/support/s/article/KB-000035777). 

I did a manual purge yesterday. It took 7 hours for the report partition to go from 89% to 80%. Another 10 hours later (this morning) and it's still at 80%. Not sure if that's normal or if it should drop lower.

Regardless of the report partition stuff, where are the logs now? One particular area I always went in the Log Viewer was "Web Server Protection". I can't find that anywhere in Sophos Central Reporting. All I see are "reports" and can't find recent/active logs that I'm used to seeing. Even when I click on Logs, it goes to reports. If I'm actively trying to view logs for troubleshooting where would I do that?

Obviously, since no local reporting is enabled, the Log View on the Sophos is empty.



This thread was automatically locked due to age.
Parents
  • +1

    Go to Firewall Management > Report Generator and you'll be able to choose your firewall and the report template "Log Viewer and Search". From there I assume you would filter by Log Type "WAF". You can click in the box to get your filter choices in a pop-up menu. I don't have WAF so can't test.

    Also, the rate at which your partition is being cleaned up makes me thing you've got some corruption going on locally.

  • 0 in reply to Wayne Folta

    Man, I owe you a beer. I have been glazing over that Log Viewer and Search part! For some reason I expected all of the Log Type options to be in that Report Templates drop-down, not within a subsection of it. I can now see the logs, and while I don't see an easy refresh option like in the original Log Viewer, and while it seems the most recent logs are about 10 minutes behind, I'll take this! I imagine it just takes time for the logs to get from the firewall to Central Reporting.

    One odd thing I noticed is the first few times I tried selecting my one-and-only firewall, it wouldn't select. I'd check the box and APPLY, then hit the drop-down again and my firewall wouldn't be checked/selected. I am worried about report partition corruption as well Disappointed

    Thanks again 

  • 0 in reply to djb-sophos

    Glad to help. Yeah, the Sophos Central logs are about 10 minutes behind real-time. I'm guessing some of it is them not wanting to flood log messages while you're getting a flood of events/traffic and some is Sophos Central ingesting and processing. I've poked around a lot because I have an XGS-87, which is too small to do on-board reporting, and the logging obviously wraps fairly quickly.

    Which back to your issue, puzzles me. My XGS-87 logs never fill. They rotate somehow, so I can only go back a fairly short time. Of course Sophos Central also has a 30-day limit (if you have something-or-other to extend it), so beware of that, too.

Reply
  • 0 in reply to djb-sophos

    Glad to help. Yeah, the Sophos Central logs are about 10 minutes behind real-time. I'm guessing some of it is them not wanting to flood log messages while you're getting a flood of events/traffic and some is Sophos Central ingesting and processing. I've poked around a lot because I have an XGS-87, which is too small to do on-board reporting, and the logging obviously wraps fairly quickly.

    Which back to your issue, puzzles me. My XGS-87 logs never fill. They rotate somehow, so I can only go back a fairly short time. Of course Sophos Central also has a 30-day limit (if you have something-or-other to extend it), so beware of that, too.

Children
  • 0 in reply to Wayne Folta

    I'm starting to think something is not right. It's happening again, where I cannot save my Firewall after checking its checkbox under the Firewalls drop-down. I made a little video of it not working but I'm not certain if it's ok to share the serial number of my firewall. But trust me, it just won't save after I click Apply. Additionally, here is what my Log viewer and search shows. I'm assuming, because no router is selected, because I cannot select it.

Unfiltered HTML