Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Syslog over TCP/TLS possibly broken?

Hello,
I am using two XGS126 in HA. Firmware version is 20.0.0 GA-Build222 but the same applies to previous 19.5.3 MR-3-Build652.

I am configuring a remote syslog server. Everything works as expected with UDP protocol, the receiver is a rsyslog service on Ubuntu server. Everything described here also applies to another server with Elasticsearch stack, receiving logs with elastic-agent and Sophos XG integration.


When I switch to TCP using "Secure log transmission", it seems that the log are sent using a different protocol (maybe RFC 3164?) and are bad interpreted by the server.

Debug is difficult since the TCP connection is encrypted, but it looks like the format is something like this:

<PRIORITY><MESSAGE><LINE DELIMITER>

The logs are sent in multiple TCP packets and the server is expecting "\n" as line delimiter, but instead a null character "\u0000" is sent. Rsyslog converts the null character in "#000" string but the event lines are not correctly delimited, and the entire log is messed up.

 



This thread was automatically locked due to age.