Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Unable to find backdated logs in CLI of Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read will help narrow down the issue when we can't find the required old logs on the device as they’re rotated.

Situation

Let’s take an example wherein you’re facing an issue in which you must gather the backdated logs of “SSLVPN” from CLI for audit purposes.

What to do

Step1. Verify Disc Space

Firstly, we need to review the disk space in the device to verify the log partition status. If the disk space is overloaded, it’ll create an issue with the logging daemon.

Note that the disk size may vary for each Sophos Firewall model.

To find the disk status, use the command below in the advanced shell:

# df -kh

Output:

Step2. Service

To review the specific service-related logs (in our case, it’s SSL VPN), go to the “/log” directory and grep the required log file using the below command in the advance shell:

# ls -larth /log/ | grep -i sslvpn

Output:

Here, we can see two files created for the same service, namely sslvpn.log.0 and sslvpn.log.

  • log.0 – This file would contain older logs within the maximum upper limit of file size allocated to the service of SSLVPN.
  • log – This file would contain the most recent logs.

For reference, the SSLVPN service has a maximum upper limit for a file size of 64 Mb. Thus, once the sslvpn.log file reaches the 64 mb file size, the new file named sslvpn.log.0 is created, and the logs would shift to sslvpn.log.0 files. Newly generated logs are still stored in the sslvpn.log file.

An important thing to note is that the device will automatically generate a new file to store older logs only once, such as sslvpn.log.0; it won’t create any subsequent log files apart from the log.0 file. 

In our case,

  • As we can see in the snap, sslvpn.log.0 is already full of 64 MB, and sslvpn.log contains 20.9 mb logs.

Once sslvpn.log reaches 64 MB, then the older logs of sslvpn.log.0 would be rotated, and the recent logs would be shifted from sslvpn.log to sslvpn.log.0 to make a space to store new logs in sslvpn.log file.

Step: 3 Review Logs

Review the sslvpn.log.0 file using “less” command and confirm the date/time since it contains the logs.

# less /log/sslvpn.log.0

Note:

  • For proper log collection and storage, you can configure a syslog server to store all required log files for the required time frame, which can help you for audit purposes. Refer - Add a syslog server
  • We reviewed the information only for SSLVPN service; however, the same steps could be followed for other required services. Also, contact Sophos support to know the maximum file size limit for specific services.



Updated screenshots
[edited by: Erick Jan at 3:46 AM (GMT -8) on 11 Dec 2024]