This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log Viewer not Updating

Hello,

I am running XG FW firmware version 19.0.0.

Log Viewer is no longer showing current entries for all categories.

The last entry logged was on 1/26/22.

I've checked log settings and disk space and everything looks correct.

I also have several firewall rules checked to 'log firewall traffic' however no traffic is being logged.

Any ideas where else I could look or how to resolve?



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thank you for contacting the Sophos Community.

    Adding to rfcat suggestion, check if the garner and reportdb services are running: (You need to SSH in to the XG and press 5>3 to land in  the advanced shell)

    # service -S | grep garner
    # service -S | grep report
    # csc custom status (you should look for Busy Workers) 

    If you notice either the garner or report services stopped or not running, try starting or restanting it

    # service garner:restart -ds nosync

    # service reportdb

    Check for any error in the:

    • garner.log 
    • reportdb.log
    • postgres.log

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello there,

    Thank you for contacting the Sophos Community.

    Adding to rfcat suggestion, check if the garner and reportdb services are running: (You need to SSH in to the XG and press 5>3 to land in  the advanced shell)

    # service -S | grep garner
    # service -S | grep report
    # csc custom status (you should look for Busy Workers) 

    If you notice either the garner or report services stopped or not running, try starting or restanting it

    # service garner:restart -ds nosync

    # service reportdb

    Check for any error in the:

    • garner.log 
    • reportdb.log
    • postgres.log

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • I've restarted and when I checked services of garner and reportdb, both were running.

    I did find the following in the garner, reportdb and postgres log files.  It appears to be some sort of corruption?  Do either of you know what the tail of these logs are pointing to?  The postgres log hasn't been updated since May:

    tail garner.log
    SFEVENTSFTS: Jun 13 19:29:08Z:execute_sqlite_prepared_stmt: stmt execution failed: database disk image is malformed
    SFEVENTSFTS: Jun 13 19:29:08Z:execute_sqlite_prepared_stmt: stmt execution failed: cannot commit - no transaction is active
    SFEVENTSFTS: Jun 13 19:29:08Z:end_transaction: Transaction Couldn't COMMIT;
    SFEVENTSFTS: Jun 13 19:29:08Z:sqllite_db_fini: Transaction End Failed
    SFEVENTSFTS: Jun 13 19:29:08Z:end_transaction: Transaction Couldn't COMMIT;
    SFEVENTSFTS: Jun 13 19:29:08Z:reset_transaction: end Transaction Failed
    SFEVENTSFTS: Jun 13 19:29:08Z:sqlite_db_insert_data: reset transaction failed for table 'tbllog'
    SFEVENTSFTS: Jun 13 19:29:08Z:sfeventsfts_insert_data: insert failed with SQLITE_GENERAL_ERROR
    SFEVENTSFTS: Jun 13 19:29:08Z:sfeventsfts_insert_data failed

    tail reportdb.log
    10459 2022-06-13 19:28:13.395 GMTLOG:  unexpected EOF on client connection with an open transaction
    21784 2022-06-13 19:28:13.395 GMTLOG:  unexpected EOF on client connection with an open transaction
    20225 2022-06-13 19:28:13.396 GMTLOG:  unexpected EOF on client connection with an open transaction
    21770 2022-06-13 19:28:13.397 GMTLOG:  unexpected EOF on client connection with an open transaction
    21768 2022-06-13 19:28:13.398 GMTLOG:  unexpected EOF on client connection with an open transaction
    22666 2022-06-13 19:28:13.398 GMTLOG:  could not receive data from client: Connection reset by peer

    tail postgres.log
    5347 2022-05-28 03:52:48.130 GMTLOG:  shutting down
    5347 2022-05-28 03:52:48.838 GMTLOG:  database system is shut down
    5357 2022-05-28 03:55:32.593 GMTLOG:  database system was shut down at 2022-05-28 03:55:16 GMT
    5353 2022-05-28 03:55:32.914 GMTLOG:  database system is ready to accept connections
    5361 2022-05-28 03:55:32.915 GMTLOG:  autovacuum launcher started
    5438 2022-05-28 03:56:56.021 GMTERROR:  null value in column "value" violates not-null constraint
    5438 2022-05-28 03:56:56.021 GMTDETAIL:  Failing row contains (config cpulist, null, ips, ips.conf).
    5438 2022-05-28 03:56:56.021 GMTSTATEMENT:  with upsert as (UPDATE tblconfiguration set value=(SELECT servicevalue from tblclientservices where servicekey = 'ips_cpulist') where module = 'ips' and key='config cpulist' returning *) INSERT into tblconfiguration (key,value,module,filename) SELECT 'config cpulist', servicevalue, 'ips', 'ips.conf' from tblclientservices where servicekey = 'ips_cpulist' and (SELECT count(*) from tblconfiguration where module = 'ips' and key='config cpulist') = 0
    5438 2022-05-28 03:56:56.157 GMTERROR:  current transaction is aborted, commands ignored until end of transaction block
    5438 2022-05-28 03:56:56.157 GMTSTATEMENT:  SELECT txid_current()

  • Hello,

    I am looking for some help on this one.

    Anyone know what the logs from my last post are indicating?

    I haven't received any Log Viewer data for some time now.

    Thanks

  • A quick look at the logs information would imply a faulty disk and maybe the time on the XG is not updating correctly.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello there,

    The logs indicated that your DB is corrupted, which is the cause for which your Log Viewer is not updating.

    Do you see any core dump under ls -la /var/cores/

    You could take a backup of your current configuration and re-image your device, if the issue re-appears most likely your HDD might have started to fail in which case you might need to RMA the device if it is still under warranty. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Emmanuel,

    Thanks for the response.

    There is only one core.awed file from 2020 so I don't think it is related since the logs stopped at the beginning of this year.

    This is running on a VM so I will create a back up and spin up another VM, then perform a restore.

    However, before I do that are there any specific commands I can run, besides the standard linux ones that would assist in determining if this is a disk problem?  Also, can I rebuild or replace the database?

    Thanks,

    Kerry

  • I ran fdisk and badblocks and there were no errors / bad sectors

  • Hey
    To check the status of Sophos Firewall's reporting, follow the steps below.

    1. Sign in to the CLI Console with Telnet or SSH.
    2. Select Option 4:  Device Console.
    3. Run the following command.

      Check disk size usage

      Use the following command from the CLI to check the disk size usage by reports.

      system diagnostics show disk

      **If report use is 80% or higher, the firewall will stop displaying reports.
         If report use is 90% or higher, the report database service is possibly dead.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Vivek,

    Looks good there also:

    console> system diagnostics show disk
    Partition        Utilization(%)
    ===============================
    configuration        19%
    content              11%
    report               32%

  • Can you check the data retention period once here: https://support.sophos.com/support/s/article/KB-000035780?language=en_US
    And under the system services > Log settings - what all the options enabled ?
    ==========
    Under the Administration > time > is it set to "Use pre-defined NTP server" or "Do not use NTP server?" 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Retention period is set to defaults, 6 months

    under the system services > Log settings, looks like default settings also.  Some of them selected are:

    • FW Rules
    • DOS Attack
    • Dropped source routed packet
    • Dropped fragmented packet
    • MAC Filtering
    • web filter
    • application filter
    • web content policy
    • all events
    • All IPS
    • All Antivirus

    Time is set to Use pre-defined NTP server