Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 1914 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bytes sent incorrectly reported in log viewer

Ben BP12C

Hi,

We're seeing repeated but inconsistent log entries with the bytes sent in the 4GB region. We use Fastvue and these incorrect bytes values mess with our reporting and make it hard to track down actual high bandwidth users. Some users are reported to have used hundreds of gigabytes when they have not.

Has anyone seen this on their Sophos XGS appliances?

We're currently running 18.5.4 MR-4 and seeing this issue on multiple appliances across different sites. It is affecting staff and student accounts using different Firewall rules and Web Policies.

I've included a few affected log entries below.

Time					Log subtype	Username	Src IP			Dst IP			Category				URL																Bytes sent	Referrer						Message ID	Policy ID
2022-10-25 15:57:27		Allowed		Staff1		10.10.4.104		142.250.70.196	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964804	https://contacts.google.com/	16001		57
2022-10-25 15:54:37		Allowed		Staff2		10.10.4.76		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294965154	https://drive.google.com/		16001		57
2022-10-25 15:51:33		Allowed		Staff1		10.10.4.104		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964812	https://docs.google.com/		16001		57
2022-10-25 15:39:18		Allowed		Staff3		10.10.4.92		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964633	https://docs.google.com/		16001		57
2022-10-25 14:59:09		Allowed		Student1	10.10.4.81		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964958	https://mail.google.com/		16001		99
2022-10-25 14:57:10		Allowed		Staff4		10.10.4.63		142.250.204.4	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964842	https://www.google.com/			16001		57
2022-10-25 14:53:46		Allowed		Student1	10.10.4.81		142.250.204.4	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964958	https://mail.google.com/		16001		99
2022-10-25 14:48:44		Allowed		Student1	10.10.4.81		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964958	https://mail.google.com/		16001		99
2022-10-25 14:43:44		Allowed		Staff5		10.10.4.78		142.250.76.100	Search Engines			https://www.google.com/log?format=json&hasfast=true				4294965737	https://www.google.com/			16001		57
2022-10-25 14:25:40		Allowed		Student2	10.10.5.24		172.217.24.36	Search Engines			https://www.google.com/log?format=json&hasfast=true&authuser=0	4294964892	https://classroom.google.com/	16001		99
2022-10-25 13:25:09		Allowed		Student3	10.10.4.137		54.254.23.138	Information Technology	https://btlr.sharethrough.com/universal/v1?supply_id=WYu2BXv1	4294966478	https://www.coolmathgames.com/	16001		99

Any advice would be appreciated.

Cheers,
Ben



This thread was automatically locked due to age.
  • 0


    This not a known problem.

    Can you let me know if you are using direct mode, proxy mode or DPI mode?

    Can you please check in the WebAdmin Log Viewer for the same entries to if the values are high there as well. If you can, cut&paste one of those lines. syslog is not as commonly used/tested and I want to make confirm if this is problem only in this output.

  • 0 in reply to Michael Dunn

    Hi Michael,

    Thanks for the reply.

    We use Web Proxy mode. We have an authenticated upstream proxy on our primary WAN connection, I believe we need to use Web Proxy for the upstream proxy to function.

    The above log entries are from the Sophos Log Viewer > Web Filter. These entries are confirmed to also be passed through to the syslog.

    Edit: I've included another example, unedited, from the Web Filter. This is from one of our camera servers. Different FW rule but still using Web Proxy.

    2022-10-26 02:32:17Web filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" fw_rule_id="75" user="" user_group="" web_policy_id="1" web_policy="Allow All" category="Information Technology" category_type="Acceptable" url="http://speedtest.vmsproxy.com/speedtest/bandwidth" content_type="" override_token="" src_ip="10.10.0.103" dst_ip="13.239.59.197" protocol="TCP" src_port="53192" dst_port="80" bytes_sent="369" bytes_received="212" domain="speedtest.vmsproxy.com" exception="" activity_name="" reason="" user_agent="Nx Witness/5.0.0.35745 (Network Optix) Mozilla/5.0 (Windows NT 6.1; WOW64)" status_code="204" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3717486528" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
2022-10-26 02:32:17Web filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" fw_rule_id="75" user="" user_group="" web_policy_id="1" web_policy="Allow All" category="Information Technology" category_type="Acceptable" url="http://speedtest.vmsproxy.com/speedtest/bandwidth" content_type="" override_token="" src_ip="10.10.0.103" dst_ip="13.239.59.197" protocol="TCP" src_port="53192" dst_port="80" bytes_sent="369" bytes_received="212" domain="speedtest.vmsproxy.com" exception="" activity_name="" reason="" user_agent="Nx Witness/5.0.0.35745 (Network Optix) Mozilla/5.0 (Windows NT 6.1; WOW64)" status_code="204" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3717486528" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
2022-10-26 02:32:18Web filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" fw_rule_id="75" user="" user_group="" web_policy_id="1" web_policy="Allow All" category="Information Technology" category_type="Acceptable" url="http://speedtest.vmsproxy.com/speedtest/bandwidth" content_type="" override_token="" src_ip="10.10.0.103" dst_ip="13.239.59.197" protocol="TCP" src_port="53193" dst_port="80" bytes_sent="4294966842" bytes_received="1002730" domain="speedtest.vmsproxy.com" exception="" activity_name="" reason="" user_agent="Nx Witness/5.0.0.35745 (Network Optix) Mozilla/5.0 (Windows NT 6.1; WOW64)" status_code="502" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3100912576" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    Cheers,
    Ben

  • 0 in reply to Michael Dunn

    Hi ,

    Do you have any further suggestions? I'd like to resolve this if possible.

    Cheers,
    Ben

Unfiltered HTML