Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.
Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.
Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall.
Please read a full blog post at:
As my closing comment on this issue that this is happening due to some instability issue and it will go away if you will disable the Email Notification for IPSec Tunnel up/Down and Email Later for Login failure (as per shown in the Picture).
Sophos Architect | NSE 4 | CCNP | CISE
that is not a fix, but a temporary work around that does not offer solution to the missing services. It is not an instability issue, but a software issue that should have been fixed in MR-6 as promised.
edited layout, something went wrong with the page load.
However, there’s a need to maintain a log book of all those temporary work-arounds on all appliances, since they last months. Our customers do not pay for that.
Anyone has an update on this ?
Its actually not even a temporary work around.
IPSec data is not being written to the system log.
So if an IPSec tunnel drops and reconnects, there are no log messages, even though the Firewall logging is working.
Need some way of extracting the console logs. Having a major Azure issue at present.
Gavin Daniels. DipIT(Networking)
You could get brave, enable the logging and create a batch run the restart garner each night.
No use doing something to restart the Gartner service when the IPSec logs are not being written when it is already running.
Something has changed from 17.5.4 to 17.5.6 to break that
If you are not getting any IPSEC log lines in the SYSTEM log comp then yiu have a different problem than this issue and should contact support. This Garner issue is for all logs or none at all.
Not had any issues with IPSEC logs being written noticeably on any of mine/customer firewalls.
Already have a support ticket in the system,
Its just that this customer uses the IPSec connections a lot, so not logging really stood out.
Originally had the Gartner issue, and after disabling notifications and restarting, the firewall is now logging. but trying to track an azure issue without logs is difficult.
Silly question ... How many customers do you maintain ? For statistic purposes.
Here, I do not have to restart garner that much. I presume it is related to the quantity of logs generated, and maybe to the speed the appliance manages these logs. I say that because or appliances are overkill and we have few users. Their web activities being mostly mails. We have have IP telephony. This generates "A LOT" however.
PMed you regarding the Azure issue.
We do not actively maintain Customers as we are not an MSP but we have Support contracts for around 75 of our Customers. However, we are a ProServices outfit as well and i install between 2 and 4 Customer appliances/endpoint software a week (discounting multiples in the same sitting).
I have seen this on about 30% of our Customers on 17.5.5/6 and around the same percentages on my installations. I do regularly enable the alert notifications but since this issue i have stopped.
@Emile Have responded to PM
@Buck Have 15 which I manage, most are running 17.5.4 MR4 at present and will be staying there until this is resolved. Have had no Gartner logging issues with any of them, but most of them do not produce a large volume of logs per day. All are a minimum of an XG125, with a couple of XG210 and a XG310
I only upgraded 2 units to MR6 due to the listed IPSec fixes related to connection rekey issues believing it may assist with the Azure issue. But without logging it is really difficult to resolve.
There needs to be a way of getting the console logs out, but I cant seem to find one.