Somewhere along the line some of the the logging has started working. The 'Web Protection Statistics' appear to be frozen, it's showing data from two or three days and hasn't updated since. We've just went past midnight local time, and the page hasn't reset like it usually does, it's still showing the same data it did two hours ago. On that page, if I click the blue 'Details' button next to one of the graph headings to get more data it displays the following error message: Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/reporting.pm line 501. If I go to any of the following pages, it just shows the word "undefined" without any content: Logging & Reporting --> Network Usage --> Bandwidth Usage Logging & Reporting --> Network Protection --> Firewall Logging & Reporting --> Network Protection --> Advanced Threat Protection Logging & Reporting --> Network Protection --> IPS If I go to any of the reports under 'Logging & Reporting --> Web Protection', they all just show an empty table, no matter what options I select. Other logs/reports appear fine; Hardware, Network Usage [other than Bandwidth Usage], Network Protection [other than Firewall/ATP/IPS], Email Protection, Wireless protection, Remote Access and Webserver Protection all appear fine. This may or may not have anything to do with my HA difficulties .

err, okay, PEBCAK for my last post. I had a rule bypassing logging for that device, must have configured it in error whilst I was troubleshooting. Alright, so, the original problem of not logging is now resolved. Problem: Web Protection not logging Cause: PostgreSQL crashed Resolution: Power off all HA nodes so that none are running, then power them up again one-by-one.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Missing logs / broken reporting

AlanI over 9 years ago

Somewhere along the line some of the the logging has started working. The 'Web Protection Statistics' appear to be frozen, it's showing data from two or three days and hasn't updated since. We've just went past midnight local time, and the page hasn't reset like it usually does, it's still showing the same data it did two hours ago.

On that page, if I click the blue 'Details' button next to one of the graph headings to get more data it displays the following error message:

Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/reporting.pm line 501.

If I go to any of the following pages, it just shows the word "undefined" without any content:

Logging & Reporting --> Network Usage --> Bandwidth Usage
Logging & Reporting --> Network Protection --> Firewall
Logging & Reporting --> Network Protection --> Advanced Threat Protection
Logging & Reporting --> Network Protection --> IPS

If I go to any of the reports under 'Logging & Reporting --> Web Protection', they all just show an empty table, no matter what options I select.

Other logs/reports appear fine; Hardware, Network Usage [other than Bandwidth Usage], Network Protection [other than Firewall/ATP/IPS], Email Protection, Wireless protection, Remote Access and Webserver Protection all appear fine.

This may or may not have anything to do with my HA difficulties.

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

Yes, I guess that this was caused by doing an Up2Date of an HA system while 'Preferred Master' was selected. This first came up in the 9.2 beta, but apparently has never been identified officially as a bug. I suspect you will lose logs and reports when you fix the HA problem and that this problem will disappear.

Cheers - Bob
PS Thanks for moving this post to this new thread so that folks with a similar problem will be able to find this more readily.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 9 years ago

Yes, I guess that this was caused by doing an Up2Date of an HA system while 'Preferred Master' was selected. This first came up in the 9.2 beta, but apparently has never been identified officially as a bug. I suspect you will lose logs and reports when you fix the HA problem and that this problem will disappear.

Cheers - Bob
PS Thanks for moving this post to this new thread so that folks with a similar problem will be able to find this more readily.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 AlanI over 9 years ago in reply to BAlfson

Thanks Bob. I decided to shutdown the entire instance to see what would happen. I shutdown the standby node, shutdown the primary node, turned the primary node back on, and when it was up and running finally booted up the standby node.

I noted on both the primary and standby node when shutting down there was an error message on the console indicating that the Postgresql service wasn't running, which presumably was the source of the missing logs problem.

When both nodes where powered back on I verified that the Postgresql service was running successfully and I noted that logging was sorta working again.

It's been running most of the day and it's indeed generating web stats as expected, I can break it down by application, user etc., so that's all awesome.

However, I have one device on the network which normally generates a fairly large percentage of all my Internet traffic (maybe 25% of all Internet traffic), and that particular device is bizarrely just missing from the stats entirely.

If I look at the 'Users' report under Web Protection it's just not in the list, despite that I know it's generating considerable traffic today (well, in proportion to the other devices on the network anyway).

So, if that's missing I don't know if the rest of the stats are accurate either or not (although, the values look sane enough).

I'll monitor it for a few more days and see if anything changes.

EDIT: Oh, that's interesting, I just noticed the device in question *does* appear in the Network Statistics logs, it just doesn't appear in the Web Protection logs. It appears that the data to it appears in the 'Top Applications' & 'Top Application Categories' stats, but not under the 'Top sites by traffic' or 'Top users by traffic'.
Cancel
Vote Up 0 Vote Down

Cancel
+1 AlanI over 9 years ago in reply to AlanI

err, okay, PEBCAK for my last post. I had a rule bypassing logging for that device, must have configured it in error whilst I was troubleshooting.

Alright, so, the original problem of not logging is now resolved.

Problem: Web Protection not logging
Cause: PostgreSQL crashed
Resolution: Power off all HA nodes so that none are running, then power them up again one-by-one.
Cancel
Vote Up 0 Vote Down

Cancel
0 MuhdRabbani over 7 years ago in reply to BAlfson

hi,

my firewall pop out this error tu, yesterday i follow this forum https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/23654/deleted-log-files-but-disk-space-not-cleared/65292#65292

to delete the log. but today When I access Logging & Reporting -> Network Protection -> Firewall, an error message is prompted: "Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/reporting.pm line 501".

need ur help.
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to MuhdRabbani

Hi MuhdRabbani,

I request you to raise a new thread to start a conversation on this issue as we have a one issue per thread policy. This makes finding solutions easier.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel