Sophos Firewall: Unable to find backdated logs in CLI of Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read will help narrow down the issue when we can't find the required old logs in the device as they’re rotated.

Situation

Let’s take an example wherein you’re facing an issue in which you are required to gather the backdated logs of “SSLVPN” from CLI for audit purposes.

What to do

Step1. Verify Disc Space

Firstly, we need to review the disk space in the device to verify the log partition status. If the disk space is overloaded, it’ll create an issue with the logging daemon.

Please note that the disk size may vary for each Sophos Firewall model.

To find the disk status, use the command below in the advanced shell:

# df -kh

Output:

Step2. Service

To review the specific service-related logs (in our case, it’s SSL VPN), go to the “/log” directory and grep the required log file using the below command in the advance shell:

# ls -larth /log/ | grep -i sslvpn

Output:

Here, we’re able to see two files created for the same service, namely sslvpn.log.0 and sslvpn.log.

  • log.0 – This file would contain older logs within the maximum upper limit of file size allocated to the service of SSLVPN.
  • log – This file would contain the most recent logs.

For reference, the SSLVPN service has a maximum upper limit for a file size of 64 Mb. Thus, once the sslvpn.log file reaches the 64 mb file size, the new file named sslvpn.log.0 is created, and the logs would shift to sslvpn.log.0 files. Newly generated logs are still stored in the sslvpn.log file.

An important thing to note is that the device will automatically generate a new file to store older logs only once as sslvpn.log.0; it won’t create any subsequent log files apart from the log.0 file. 

In our case,

  • As we can see in above snap, sslvpn.log.0 is already full of 64 MB, and sslvpn.log contains 20.9 mb logs.

Once sslvpn.log reaches 64 MB, then the older logs of sslvpn.log.0 would be rotated, and the recent logs would be shifted from sslvpn.log to sslvpn.log.0 to make a space to store new logs in sslvpn.log file.

Step: 3 Review Logs

Review the sslvpn.log.0 file using “less” command and confirm the date/time since it contains the logs.

# less /log/sslvpn.log.0

Note:



Revamped RR Corrected Grammar, Font Size and Formatting Added Horizontal Lines Fixed Table of Contents ^EV Updated Table of Content ^EO
[edited by: emmosophos at 1:09 AM (GMT -8) on 24 Nov 2023]