Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This article will help narrow down the issue when we cannot find the required old logs in the device as they are rotated.
Product and Environment:
Sophos Firewall (All versions)
Situation
Let’s take an example wherein you’re facing an issue in which you are required to gather the backdated logs of “SSLVPN” from CLI for audit purposes.
What to do
Step: 1
Firstly, we need to review the disk space in the device to verify the log partition status. If the disk space is overloaded then it’ll create an issue with the logging daemon.
Please note that the disk size may vary for each Sophos Firewall model.
To find the disk status, use the command below in advanced shell:
# df -kh
Output:
Step: 2
To review the specific service-related logs (in our case, it’s SSL VPN), navigate to “/log” directory and grep the required log file using the below command in the advance shell:
# ls -larth /log/ | grep -i sslvpn
Output:
Here, we are able to see two files created for the same service, namely sslvpn.log.0 and sslvpn.log.
- log.0 – This file would contain older logs within the maximum upper limit of file size allocated to the service of SSLVPN.
- log – This file would contain the most recent logs.
For reference, the SSLVPN service has a maximum upper limit for a file size of 64 Mb. Thus, once the sslvpn.log file reaches the 64 mb file size, the new file named sslvpn.log.0 is created, and the logs would shift to sslvpn.log.0 file. Newly generated logs are still stored in the sslvpn.log file.
An important thing to note is that the device will automatically generate a new file to store older logs only once as sslvpn.log.0; it won’t create any subsequent log files apart from log.0 file.
In our case,
- As we can see in above snap, sslvpn.log.0 is already full of 64 MB, and sslvpn.log contains 20.9 mb logs.
Once sslvpn.log reaches 64 MB, then the older logs of sslvpn.log.0 would be rotated, and the recent logs would be shifted from sslvpn.log to sslvpn.log.0 to make a space to store new logs in sslvpn.log file.
Step: 3
Review the sslvpn.log.0 file using “less” command and confirm the date/time since it contains the logs.
# less /log/sslvpn.log.0
Note:
- For proper log collection and storage, you can configure a syslog server, which can store all required log files for the required time frame, which can help you for audit purposes. Refer - https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html
- Above, we have reviewed the information only for SSLVPN service; however, the same steps could be followed for any other required services. Also, to know about the maximum file size limit for specific services, please contact Sophos support.
Grammar and removed the Summary
[edited by: emmosophos at 6:47 PM (GMT -7) on 12 Sep 2023]