Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 2905 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG -Report partition full

Alex NC

Hello,

I just migrated a customer from UTM to XG (18.5 since 19 is not recommended by the support) and the default 80GB report partition of the VM is filling very quickly, in about 20-25 days.

Logrotate is not well implemented and the firewall got a lot of issues (traffic interrupted, new email not accepted, ...) with a full report partition.

The Flush Device Reports CLI is not acceptable for me since it deletes all the log and needs a reboot..

The support told is that we cannot safely increase the report partition and that we should use Sophos Central reporting with a low local retention.

I found this KB on for XG on Azure, why cannot we do the same on VMware?

Thanks for your help.



This thread was automatically locked due to age.
  • 0

    Hi,

    you need to review the log retention settings to assist with your full disk recovery issue.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The minimum log retention is one month.

    As told in my post, the default 80GB report partition of the VM is filling very quickly, in about 20-25 days.

    So log retention is not a good option and the customer needs more for compliance.

  • 0

    You could increase the Disk space with a new appliance and the tools your hypervisor gives you. Then spin up the VM and restore a backup of your current appliance. This will result in a new appliance with a larger space. 

    __________________________________________________________________________________________________________________

  • +1

    Hello Alex,

    of course you can do the same in VMware, why not?

    The step resize2fs /dev/var is inside the guest, so this does not depend on the type of hypervisor.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hello,

    Your answer is technically OK. But the support told us not to do that:

    "the XG along with the UTM do not learn about increased disk capacity, because it would require dynamic space allocation which could lead to a security breach due to stuff in the expanded disk."

    I don't have so much time to really go deep on this to evaluate how dynamic space allocation is different on an azure storage than on a classic VM.

    I think that the Lucar Toni answer is the good one an as i'm in cluster, i'll recreate the VM one by one with the good size.

    By the way, this is another issue that shows the poor development quality of XG for a production environment: logrotate not working and firewall/email down for a low space issue and bad partitioning conception.

    We are a lot on this forum that really don't understand how did Sophos goes that wrong on XG as Astaro/UTM is a really nice product.

    Hurry up Sophos, XG is V19 now, it's time to have a good product.

  • 0 in reply to Alex NC

    You should differ between 3 components. Debugging (live), Logging and Reporting. 

    Those three components are in the products. UTM did this with a log retention principle of doing this within .log.gz files and archiving this. But it still was plain .log files. 

    I would not be interested in old data anymore in a .log. 

    You want to secure your company. You want to have data which is meaningful to represent the current ongoings within your network. A .log File is not useful for this approach. 

    So the movement towards IT Security is to use SIEM like solutions to get a know about the behavior. And this is included within the Data Lake of Central. And Threat Analyst can read this data perfectly fine. This kind of data is not stored in .logs as you cannot dig deep enough and use tools in a quick manner. 

    Debugging for a broken module can be done within a .log. Most likely you do not need to go back the past 30 Dayish or so. As the firewall does not store that much data in .log anymore, it will not rotate that much. 

    The default 80 GB for a VM are likely to small for you. But afterwards you should not run into this issue that much. And you should think about getting your Reporting into the datalake instead. This saves the space locally. 

    Going forward and looking at Threat Analysis, this is something you should look into. 

    __________________________________________________________________________________________________________________

Unfiltered HTML