Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.
Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.
Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall.
Please read a full blog post at:
Besides the fact that logs may not be updating, I have hit this today. I have a rule, let's call it "36" that allows a server to validate a certificate somewhere on the web. I disable it, it cannot validate. I enable it, it does. Simple. Well. Filtering with "Firewall Rule = 36" indicates XG's logs have no clue firewall rule 36 exists. nada. niet nothing. Filtering logs with that server's ip shows it never ever whatever uses rule 36.
Also, in the "Firewall" menu, you could see the rule would allow traffic "in x.xx MB, out x.xx MB". Another indication that rule actualy does something.
Navigating blind I presume.
Logs viewer in XG requires entire re-write.
I have also got the somehow the same issue Sophos XG750 ie. if I am enabling email notification in System>Administration> Notification Setting my box garner service gets stops after few hrs. And after disabling email notification and restarting of garner service , log and report are coming fine.
I raise this issue and checking the box log by GE support team, they installed a patch called "libeximmailclient" and now i am able to see the log in log vieiwer and reports also.
Thanks to the sophos GE support team.
You resultant fix leads to a question as to why it has not been deployed as a hot fix to all XG boxes?
May be it depend what kind of issue actually we facing.
After checking below output they decided to patch it:
#0 0xf732e471 in poll () from target:/lib/libc.so.6#1 0xf72572cf in ?? () from target:/lib/libpq.so.5#2 0xf72571b0 in ?? () from target:/lib/libpq.so.5#3 0xf725709a in ?? () from target:/lib/libpq.so.5#4 0xf7257062 in ?? () from target:/lib/libpq.so.5#5 0xf7253457 in PQgetResult () from target:/lib/libpq.so.5#6 0xf7253ae1 in ?? () from target:/lib/libpq.so.5#7 0xf7253753 in PQexec () from target:/lib/libpq.so.5#8 0xf6f99679 in process_pgsql_query (conn_handle=0xa2100a8, query=0xffd65688 "END;", r_set=0x0) at postgres_db.c:585#9 0xf6f99a86 in end_transaction (conn_handle=0xa2100a8) at postgres_db.c:701#10 0xf6f9a26b in move_table_to_usedqueue (db=0x9e55234, table=0x9e55220) at postgres_db.c:927#11 0xf6f943fb in oppostgres_event (handle=0x9ed7f90) at oppostgres.c:477#12 0xf6f94253 in oppostgres_output (searray=0xf44de008, nse=1, output_data_list=0xffd667b8, handle=0x9ed7f90) at oppostgres.c:435#13 0x08051844 in check_conditions ()#14 0x080518e5 in check_conditions ()#15 0x080519de in process_std_events ()#16 0x08051a71 in ?? ()#17 0x08052309 in handle_accept_udp ()#18 0x080542b5 in do_epoll ()#19 0x08054717 in parent_main ()#20 0x080550dc in garner_main ()#21 0x08055113 in main ()
I would be surprised seeing the issue is temporarily resolved by disabling certain notifications.
There is a KBA for this Issue:
This KB is added newly, it was not there before. I raised this issue on 17-July-2019 and patched installed on 19-July-2019 on my device (XG750)