This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote syslog stops working - where to get system messages?

Intermittently my UTM 9.7 stops sending logs to Fastvue Reported for Sophos listening on syslog port 514. Turning remote syslog on/off doesn't fix it, nor does rebooting - at either end (Sophos or Fastvue). I tried re-adding the source in Fastvue, which has worked in the past but isn't working now. I know Sophos can connect to Fastvue server, and it has no problem sending the archived logs, and Fastvue has no problem processing those. It's the real time updates that have stopped working.

In the past some combination of restarts would get things going again but today nothing is working. I did work with Fastvue support on this a few weeks ago and confirmed both Fastvue and Sophos settings (several times). Everything has worked at various points over past month or two of my having both Sophos and Fastvue. Fastvue support is saying all looks fine from Fastvue side.

I have two questions:

1. Where would I find log messages about Remote Syslog? I tried the obvious "logging subsystem" and a few others but did not find any messages so I'm clearly not looking in the right places, unless those messages are not logged anywhere.

2. Anyone else have the same or a similar problem? 



This thread was automatically locked due to age.
  • i would try system / kernel log


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Found a bit of data in system log, including the following when I changed the syslog config just to try to generate activity.

    2021:04:04-10:32:50 lyneutm syslog-ng[5128]: Configuration reload request received, reloading configuration;

    2021:04:04-10:32:56 lyneutm syslog-ng[5128]: Syslog connection established; fd='32', server='AF_INET(192.168.0.5:514)', local='AF_INET(0.0.0.0:0)'

    2021:04:04-10:32:56 lyneutm syslog-ng[5128]: Configuration reload request received, reloading configuration;

    Second line suggests the connection is established but is the "local IP" right at 0.0.0.0? 

    A sample of other past entries follows (i've changed real domain name with "myddns.domain")

    2021:04:02-09:44:24 lyneutm syslog-ng[5146]: Syslog connection established; fd='43', server='AF_INET(192.168.0.5:514)', local='AF_INET(0.0.0.0:0)'
    2021:04:02-09:45:05 lyneutm syslog-ng[5146]: Syslog connection established; fd='75', server='AF_INET(192.168.0.5:514)', local='AF_INET(0.0.0.0:0)'
    2021:04:02-09:52:25 lyneutm syslog-ng[5128]: Syslog connection established; fd='52', server='AF_INET(192.168.0.5:514)', local='AF_INET(0.0.0.0:0)'
    2021:04:02-10:07:37 lyneutm syslog-ng[5128]: Syslog connection established; fd='47', server='AF_INET(192.168.0.5:514)', local='AF_INET(0.0.0.0:0)'


    2021:04:03-12:00:01 lyneutm syslog-ng[5128]: Log statistics; processed='center(received)=82', processed='destination(d_myddns.domain_nnd0)=0', dropped='dst.program(d_adminrr#0,/usr/local/bin/reporter/admin-reporter.pl)=0', processed='dst.program(d_adminrr#0,/usr/local/bin/reporter/admin-reporter.pl)=2916', stored='dst.program(d_adminrr#0,/usr/local/bin/reporter/admin-reporter.pl)=0', processed='destination(d_myddns.domain_selfmon0)=5', processed='src.internal(s_local_asl#1)=82', stamp='src.internal(s_local_asl#1)=1617464401', processed='destination(d_myddns.domain_sandboxd0)=0', processed='destination(d_myddns.domain_reverseproxy0)=0', processed='destination(d_myddns.domain_smc0)=0', processed='destination(d_myddns.domain_uma0)=0', processed='destination(d_myddns.domain_login0)=0', processed='destination(d_myddns.domain_qa-logging0)=0', processed='destination(d_myddns.domain_fallback0)=224', processed='destination(d_myddns.domain_up2date0)=1599', processed='destination(d_myddns.domain_html5vpn0)=0', processed='destination(d_devnull)=0', processed='destination(d_myddns.domain_named0)=4202', processed='destination(d_myddns.domain_accd0)=0', processed='destination(d_myddns.domain_device-agent0)=0', processed='destination(d_adminrr)=2916', processed='destination(d_myddns.domain_openvpn0)=0', processed='destination(d_myddns.domain_sockd0)=0', processed='destination(d_mailsecrr)=4188', processed='destination(d_myddns.domain_smtp0)=4188', processed='destination(d_myddns.domain_aptp0)=0', processed='destination(d_myddns.domain_packetfilter0)=9955', dropped='dst.program(d_mailsecrr#0,/usr/local/bin/reporter/mailsec-reporter.pl)=0', processed='dst.program(d_mailsecrr#0,/usr/local/bin/reporter/mailsec-reporter.pl)=4188', stored='dst.program(d_mailsecrr#0,/usr/local/bin/reporter/mailsec-reporter.pl)=0', processed='destination(d_myddns.domain_red0)=0', processed='destination(d_myddns.domain_http0)=138', processed='destination(d_myddns.domain_ha_aws0)=0', processed='destination(d_myddns.domain_pppd0)=0', processed='destination(d_myddns.domain_user_prefetch0)=0', processed='destination(d_myddns.domain_cloud0)=0', processed='destination(d_vpnrr)=139', processed='destination(d_myddns.domain_xorp0)=0', processed='destination(d_myddns.domain_endpoint0)=0', processed='destination(d_myddns.domain_u2dcache0)=0', dropped='dst.program(d_pcktrr#0,/usr/local/bin/reporter/pfilter-reporter.pl)=0', processed='dst.program(d_pcktrr#0,/usr/local/bin/reporter/pfilter-reporter.pl)=9955', stored='dst.program(d_pcktrr#0,/usr/local/bin/reporter/pfilter-reporter.pl)=0', processed='center(queued)=131437', processed='destination(d_myddns.domain_identd0)=0', processed='destination(d_websecrr)=138', processed='destination(d_myddns.domain_mdw0)=1918', processed='destination(d_myddns.domain_letsencrypt0)=0', processed='destination(d_myddns.domain_system0)=2009', processed='destination(d_myddns.domain_pptpd0)=0', dropped='dst.udp(d_myddns.domain_remote0#0,192.168.0.5:514)=0', processed='dst.udp(d_myddns.domain_remote0#0,192.168.0.5:514)=114', stored='dst.udp(d_myddns.domain_remote0#0,192.168.0.5:514)=0', processed='destination(d_pcktrr)=9955', processed='destination(d_myddns.domain_dhcpd0)=19', processed='destination(d_ipsrr)=5692', processed='global(sdata_updates)=0', processed='destination(d_myddns.domain_confd0)=1291', processed='destination(d_myddns.domain_remote0)=114', processed='destination(d_myddns.domain_rasupdate0)=0', processed='destination(d_myddns.domain_acm0)=0', processed='destination(d_myddns.domain_webadmin0)=2798', processed='destination(d_myddns.domain_mdw-debug0)=4814', processed='destination(d_myddns.domain_service_monitor0)=22', processed='destination(d_websec_eplogrr)=0', processed='destination(d_myddns.domain_ospf0)=0', processed='destination(d_myddns.domain_hotspot0)=0', dropped='dst.program(d_vpnrr#0,/usr/local/bin/reporter/vpn-reporter.pl)=0', processed='dst.program(d_vpnrr#0,/usr/local/bin/reporter/vpn-reporter.pl)=139', stored='dst.program(d_vpnrr#0,/usr/local/bin/reporter/vpn-reporter.pl)=0', processed='destination(d_myddns.domain_httpd0)=482', processed='destination(d_myddns.domain_ipsec0)=141', processed='destination(d_myddns.domain_ipv60)=0', processed='global(payload_reallocs)=0', processed='destination(d_myddns.domain_pop30)=0', processed='destination(d_myddns.domain_ftp0)=0', dropped='dst.program(d_websecrr#0,/usr/local/bin/reporter/websec-reporter.pl)=0', processed='dst.program(d_websecrr#0,/usr/local/bin/reporter/websec-reporter.pl)=138', stored='dst.program(d_websecrr#0,/usr/local/bin/reporter/websec-reporter.pl)=0', processed='destination(d_myddns.domain_afc0)=201', processed='destination(d_myddns.domain_aua0)=3', processed='destination(d_myddns.domain_kernel0)=4', processed='destination(d_myddns.domain_confd-debug0)=66561', processed='destination(d_myddns.domain_eplog0)=0', processed='destination(d_myddns.domain_awslogsd0)=0', dropped='dst.program(d_websec_eplogrr#0,/usr/local/bin/reporter/websec-reporter.pl -e)=0', processed='dst.program(d_websec_eplogrr#0,/usr/local/bin/reporter/websec-reporter.pl -e)=0', stored='dst.program(d_websec_eplogrr#0,/usr/local/bin/reporter/websec-reporter.pl -e)=0', processed='destination(d_myddns.domain_sms-client0)=0', processed='destination(d_myddns.domain_pppoe0)=0', processed='destination(d_myddns.domain_wireless0)=0', processed='global(msg_clones)=0', processed='destination(d_myddns.domain_pppoa0)=0', dropped='dst.program(d_ipsrr#0,/usr/local/bin/reporter/ips-reporter.pl)=0', processed='dst.program(d_ipsrr#0,/usr/local/bin/reporter/ips-reporter.pl)=5692', stored='dst.program(d_ipsrr#0,/usr/local/bin/reporter/ips-reporter.pl)=0', processed='destination(d_myddns.domain_logging0)=12', processed='destination(d_myddns.domain_sshd0)=0', processed='source(s_local_asl)=82', processed='destination(d_myddns.domain_ips0)=5692', processed='destination(d_myddns.domain_epsecd0)=0', dropped='dst.program(d_wafrr#0,/usr/local/bin/reporter/waf-reporter)=0', processed='dst.program(d_wafrr#0,/usr/local/bin/reporter/waf-reporter)=0', stored='dst.program(d_wafrr#0,/usr/local/bin/reporter/waf-reporter)=0', processed='destination(d_myddns.domain_notifier0)=1993', processed='destination(d_wafrr)=0', processed='destination(d_myddns.domain_high-availability0)=0', processed='destination(d_myddns.domain_restd0)=0'

  • I found the problem. I moved the sophos to the "bench" after much testing until I can bring it to its intended remote location and what I thought would generate some web filtering traffic - which is what fastvue needs - was not generating any.

    I still haven't found much in the way of meaningful log messages around remote syslog but I might have to wait until something actually goes wrong for a message to happen.