Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This Recommended Read will help narrow down the issue when we can't find the required old logs in the device as they’re rotated.
Situation
Let’s take an example wherein you’re facing an issue in which you are required to gather the backdated logs of “SSLVPN” from CLI for audit purposes.
What to do
Step1. Verify Disc Space
Firstly, we need to review the disk space in the device to verify the log partition status. If the disk space is overloaded, it’ll create an issue with the logging daemon.
Please note that the disk size may vary for each Sophos Firewall model.
To find the disk status, use the command below in the advanced shell:
# df -kh
Output:
Step2. Service
To review the specific service-related logs (in our case, it’s SSL VPN), go to the “/log” directory and grep the required log file using the below command in the advance shell:
# ls -larth /log/ | grep -i sslvpn
Output:
Here, we’re able to see two files created for the same service, namely sslvpn.log.0 and sslvpn.log.
- log.0 – This file would contain older logs within the maximum upper limit of file size allocated to the service of SSLVPN.
- log – This file would contain the most recent logs.
For reference, the SSLVPN service has a maximum upper limit for a file size of 64 Mb. Thus, once the sslvpn.log file reaches the 64 mb file size, the new file named sslvpn.log.0 is created, and the logs would shift to sslvpn.log.0 files. Newly generated logs are still stored in the sslvpn.log file.
An important thing to note is that the device will automatically generate a new file to store older logs only once as sslvpn.log.0; it won’t create any subsequent log files apart from the log.0 file.
In our case,
- As we can see in above snap, sslvpn.log.0 is already full of 64 MB, and sslvpn.log contains 20.9 mb logs.
Once sslvpn.log reaches 64 MB, then the older logs of sslvpn.log.0 would be rotated, and the recent logs would be shifted from sslvpn.log to sslvpn.log.0 to make a space to store new logs in sslvpn.log file.
Step: 3 Review Logs
Review the sslvpn.log.0 file using “less” command and confirm the date/time since it contains the logs.
# less /log/sslvpn.log.0
Note:
- For proper log collection and storage, you can configure a syslog server to store all required log files for the required time frame, which can help you for audit purposes. Refer - https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html
- Above, we have reviewed the information only for SSLVPN service; however, the same steps could be followed for any other required services. Also, to know about the maximum file size limit for specific services, please get in touch with Sophos support.
Revamped RR Corrected Grammar, Font Size and Formatting Added Horizontal Lines Fixed Table of Contents ^EV Updated Table of Content ^EO
[edited by: emmosophos at 1:09 AM (GMT -8) on 24 Nov 2023]