Central Reporting - is it really working?

Hello m@x ,

Thank you for reaching out to the community, are you able to see the reporting in "Firewall reporting - Report Hub." or you not able to see there too ?
What is the firmware of the appliance ?

Hi Vivek. What exactly am I looking for under the Report hub? I want to view VPN logs and Firewall Logs that I normally find on the firewall itself under Log Viewer, except that I need to go a few weeks back. Since Central Reporting is better than the Log Viewer in its granularity and filters, I am trying to see at least the same information that a Log Viewer hives me.

Another complication is that Firewall Logs aren't stored on the firewall as a log file, unlike, say, VPN logs. So my only option to get that data is via Central Reporting.

Firewall info: XGS136 (SFOS 19.5.1 MR-1-Build278)

This is what my Report Hub shows:

I had a similar problem in v19.5.1 MR-1 I would request you to upgrade it to v19.5 MR-2 and then check if the reports are showing ?

Does the firewall store 30 days of log data itself? In other words, if I upgrade the FW, and the FW is indeed the problem, will that  30 day data be pumped to Central Reporting? Or the 30 day data is missing because the firewall failed to collect it due to firmware bug?

I am running the upgrade as we speak.

It should be present locally on the firewall, should be pushed to the central !

Ok, I will let you know shortly once the FW upgrade is completed. I have a quick follow up question. If all 30 days worth of logs are stored locally on the Firewall, is it normal that the Log viewer is showing me only the last 7-9 days?

Yes on the log viewer it will only show you limited number of days only !

Same result.

Can you share the /log/garner.log from the firewall ?

I tried the search in Central and also got no results. Of course, there is something logged, but as soon as I narrow down the filter, the less it shows until nothing.

SFOS (SFOS 19.5.2 MR-2-Build624)

As an example I wanted to find only dst port 161 blocked by rule 5 at 11:53 AM

We can see Port 161 logged at that time when I leave out the rule 5 filter

Filter for  log subtype denied:

if I remove the port, I can see many denied but no with port 161

Same is when I  export the log from central and search in the CSV

I tried the search in Central and also got no results. Of course, there is something logged, but as soon as I narrow down the filter, the less it shows until nothing.

SFOS (SFOS 19.5.2 MR-2-Build624)

As an example I wanted to find only dst port 161 blocked by rule 5 at 11:53 AM

We can see Port 161 logged at that time when I leave out the rule 5 filter

Filter for  log subtype denied:

if I remove the port, I can see many denied but no with port 161

Same is when I  export the log from central and search in the CSV

Hey LHerzog  & m@x 
Can you please share the garner.log file ?

I have the log ready. How do I share it securely? Is there any confidential data in it?

You can PM me directly...

Thank you both m@x & LHerzog for providing the garner file, did not find any suspicious log lines which matches the known issue, I request you both to provide the following output:

# ls -al /var/.centralreporting/ 

sure, thanks for checking garner.log already!

XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# ls -al /var/.centralreporting/
drwxr-xr-x    3 root     0            20480 Jun 30 11:41 .
drwxr-xr-x   43 root     0             4096 Jun 30 11:34 ..
-rwx------    1 root     0           720896 Jun 30 11:42 2065.gz
-rwx------    1 root     0               30 Jun 30 11:40 lockfile
drwxr-xr-x    2 root     0            36864 Jun 23 11:14 rotate

XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# date
Fri Jun 30 11:44:15 CEST 2023
XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# ls -al /var/.centralreporting/
drwxr-xr-x    3 root     0            20480 Jun 30 11:41 .
drwxr-xr-x   43 root     0             4096 Jun 30 11:34 ..
-rwx------    1 root     0          1228800 Jun 30 11:44 2065.gz
-rwx------    1 root     0               30 Jun 30 11:40 lockfile
drwxr-xr-x    2 root     0            36864 Jun 23 11:14 rotate
XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# date
Fri Jun 30 11:44:28 CEST 2023
XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# ls -al /var/.centralreporting/
drwxr-xr-x    3 root     0            20480 Jun 30 11:41 .
drwxr-xr-x   43 root     0             4096 Jun 30 11:34 ..
-rwx------    1 root     0          1277952 Jun 30 11:44 2065.gz
-rwx------    1 root     0               30 Jun 30 11:40 lockfile
drwxr-xr-x    2 root     0            36864 Jun 23 11:14 rotate
XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary#

file grows quickly

Has the file number rate had hit 7200 in past ? If that is the case then we are suspecting - NC-114652.
Can you let us know how how many files are generated in 5 mins ? 

Vivek Jagad said:

file number rate had hit 7200 in past

what do you mean here exactly and how to check?

we're now at

XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# date
Fri Jun 30 13:17:11 CEST 2023
XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# ls -al /var/.centralreporting/
drwxr-xr-x    3 root     0            20480 Jun 30 13:16 .
drwxr-xr-x   43 root     0             4096 Jun 30 11:34 ..
-rwx------    1 root     0           425984 Jun 30 13:17 2084.gz
-rwx------    1 root     0               30 Jun 30 13:15 lockfile
drwxr-xr-x    2 root     0            36864 Jun 23 11:14 rotate

So I guess, 19 files in ~2:30 hours

Hot Fix version:                3
Hotfix tag:                     HF050823.1