Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3317 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging & Reporting - Clarification Needed

isoffice

Hi all,

Our current setup is two SG450 Hardware Appliances running Version 9.411-3 in a Hot-Standby (Active-Passive) configuration.

We're hoping someone will be able to set us straight on a few things in relation to logging and reporting on the Sophos UTM Hardware Appliance.

We have a support call open with Sophos in relation to an issue whereby scheduled reports on sites blocked by the web filter are coming back blank, despite the fact that the log files are recording sites being blocked by our configured web filtering policies.

One of the recommendations of Sophos Support is that we rebuild the database using the command: /etc/init.d/postgresql92 rebuild.

Whilst we aren't opposed to doing this, we do want to clarify what will actually happen when this process is run. It is our understanding that archived logs will not be affected, is this true?

If the log files are retained, does the reporting utility use these logs to generate future reports on web usage?

Finally, does the process for rebuilding the database differ in a High Availability (Hot-Standby) configuration and will there be any downtime?

Many thanks for your assistance in this matter,

John P



This thread was automatically locked due to age.
Parents
  • 0

    Hi John,

    Rebuilding postgres will not affect the archived logs, it will only purge the active logs that are yet to be archived. The log files cannot be ratained which are purged during the rebuild. I would suggest you, deploy a syslog server (one of ours Sophos iView) which can keep a separate track of reports and logs. 

    There will be no downtime during the rebuild process, with HA in the scenario, what I will do is; shut down the Auxilliary appliance and rebuild the Master. Start the Auxilliary appliance and rebuild it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin,

    Many thanks for your input, it has cleared a few things up for me.

    Am I right in thinking that the Reporting mechanism is entirely separate from the Archived Logs?

    What I'm trying to say is, does the Reporting mechanism use the archived logs as a source of data to produce a report?

    Many thanks,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Reply
  • 0 in reply to sachingurung

    Hi Sachin,

    Many thanks for your input, it has cleared a few things up for me.

    Am I right in thinking that the Reporting mechanism is entirely separate from the Archived Logs?

    What I'm trying to say is, does the Reporting mechanism use the archived logs as a source of data to produce a report?

    Many thanks,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Children
  • +1 in reply to isoffice

    John, I think Sachin is confusing two different processes, but his recommendation to use a syslog server is a good one in an organization as large as yours.

    The rebuild command affects only the PostgreSQL data bases, not the logs.  It does delete all current information in graphs and all data in Reporting.  These are not repopulated from the logs.  The logs are not used at all in Reporting as these two sets of files are created separately and at different times.  The only PostgreSQL database that is rebuilt is the Email Quarantine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you very much for your explanation, it has helped my understanding of this area of UTM Management immensely.

    The Syslog option is something we will definitely look in to and looks like it will be the best fit for us.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Unfiltered HTML