Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 95 replies
  • Subscribers 58 subscribers
  • Views 72440 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Deepak Verma

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html



This thread was automatically locked due to age.
Parents
  • 0

    Thank you, even though  my report disk was only 10% my reports had stopped from the early on the 14th.

    Restarted garner and reports are being generated again.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    the fix appears to have fixed everything except mail. While today's mail shows in logviewer, none of yesterday's mail does even after the garner restart. The Reports -> mail in the GUI is empty for today 16th April.

    Ian

     

    Update:- 1100 16/4 a miracle has happened, I now have mail reports.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Something went very badly wrong. Today's report was missing details about user activity.

    I have restarted the XG to see if that fixes the issue tomorrow morning.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    I am happy that this solution is worked for you!

    Regards,

    Deepak Kumar

    Sophos Architect | NSE 4 | CCNP | CISE 

Reply Children
  • 0 in reply to Deepak Verma

    After some days, logs stopped again; after using command service garner:restart -ds nosync it fills up again.

    It happend after 17.5 MR4; now using MR4-1; but sill stopping after a few days

  • 0 in reply to PRC_N

    Do your daily reports show your user activity? Also after a restart to get user activity reported I am seeing data from the previous day eg the device was not on the network yesterday.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PRC_N

    Hi,

    Please book a ticket with TAC team. I am investigating the issue on my firewall.

    Regards,

    Deepak Kumar

    Sophos Architect | NSE 4 | CCNP | CISE 

  • 0 in reply to Deepak Verma

    [#8781763] Web support ticket.

  • 0 in reply to PRC_N

    Garner is the "center daemon" for logging. So if this daemon dies, your logging stops. 

     

    https://community.sophos.com/kb/en-us/126722

    Maybe for your Information. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The question is why after the upgrade has it stopped? Why does it take a restart to get all the reports working again eg user activity? 

    Until the upgraded I had not experienced any issues with the garner process.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi we have a similar issue. Our logs stopped working too. We also saw issues with CPU usage where a reboot clears it but after about 2 days CPU usage jumps by an extra 30%+ after a few days. I have been told that our CPU usage is normal even though before the update it was nowhere near that high and Sophos have connected in and seen the Garner daemon at 99% on 1 core.  No matter how much I try to tell them something is wrong they are just more interested in closing the case.

  • 0 in reply to Pwc

    Hi Pac,

    I would find that response a little strange, since MR-4 my memory usage has dropped from 55% to 47% consistently and CPU is about the same 3-12%.

    Sounds like you might have a corrupt reporting database?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi memory usage has been fine. They have already been in and fixed the DB errors and say there are no more issues. When I get chance I am going to check if the garner service is back at 99% usage again.

  • 0 in reply to Pwc

    Broken again sometime yesterday. I have a small amount of data from yesterday and nothing in the GUI this morning.

    I am going to restart the XG to see if that quickly fixes the issue.

    Ian

     

    Update:- restart fixed the reporting and logging issues. Why was a restart required?

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML