This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall 17.5: Logs are not updating on the GUI "Log Viewer"

Sophos XG firewall is offering on Device Reporting and logs, which is a good feature for all SMBs. There is another module "Sophos iView" available for logs and reporting but it is good for some critical organization or big data Center who need a lot of logs, reports, and backup of all those.   

Recently, I faced an issue as there is no log showing on the GUI "Log Viewer" but you will see all logs through the command line or some new logs on the auxiliary device but not on the primary devices (new logs not updating). This issue is reported on a virtual and hardware firewall as well. Today I am going to share how to handle this issue without book a ticket with the NOC team.

 

Issue Reported:

Logs are not updating on the GUI "Log Viewer" application of the Sophos XG firewall. 

Troubleshooting Steps:

Please read a full blog post at:

http://www.routexp.com/2019/04/sophos-xg-firewall-175-logs-are-not.html



This thread was automatically locked due to age.
  • Hi we have a similar issue. Our logs stopped working too. We also saw issues with CPU usage where a reboot clears it but after about 2 days CPU usage jumps by an extra 30%+ after a few days. I have been told that our CPU usage is normal even though before the update it was nowhere near that high and Sophos have connected in and seen the Garner daemon at 99% on 1 core.  No matter how much I try to tell them something is wrong they are just more interested in closing the case.

  • Hi Pac,

    I would find that response a little strange, since MR-4 my memory usage has dropped from 55% to 47% consistently and CPU is about the same 3-12%.

    Sounds like you might have a corrupt reporting database?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi memory usage has been fine. They have already been in and fixed the DB errors and say there are no more issues. When I get chance I am going to check if the garner service is back at 99% usage again.

  • Broken again sometime yesterday. I have a small amount of data from yesterday and nothing in the GUI this morning.

    I am going to restart the XG to see if that quickly fixes the issue.

    Ian

     

    Update:- restart fixed the reporting and logging issues. Why was a restart required?

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    What is Firmware version and Did you tried with Flush complete Reporting? If you faced any issue next time then, please collect some command output as 

    system diagnostics show subsystem-info

    show on-box-reports

     

    Below articles will help you:

     https://community.sophos.com/kb/en-us/123209

    https://community.sophos.com/kb/en-us/132211

    Regards,

    Deepak Kumar

    Sophos Architect | NSE 4 | CCNP | CISE 

  • XG version 17.5.4-1 mr-4.1

    I will try to collect data next time the reports go missing.

    Ian

    The reports are enabled and have been since v15. The reports folder shows 10% usage.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Broke again overnight. About to start some diagnostics.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    those KBAs did not help.

    The local reporting : on

    The ReportDB is running.

    Reports is running at 11%

    I will purge the reports and restart the XG.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi folks,

    currently running mr-5. I purged the reports before upgrading and the reports partition is still showing over 10% usage.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We're experiencing the same issue on ourXG330 (SFOS 17.5.5 MR-5).

     

    No new logs appear in the GUI Log Viewer.

    Also, seeing a garner error in the fwlog.log and pktcapd.log, and probably others:

    tail -f /var/tslog/fwlog.log

    garner: connect(/tmp/garner.sock) failed: Resource temporarily unavailable

     

    Our disk utilization is low and we haven't hit our watermark threshold:

     

    console> system diagnostics show disk
    Partition        Utilization(%)
    ===============================
    configuration        19%
    content               2%
    report               18%

     

    console> show report-disk-usage watermark
    Lower watermark percentage for report partition is 80%

     

    The only way to temporarily resolve is by restarting the garner service:

    service garner:restart -ds nosync

    This is the 2nd occurrence since we put the Sophos XG into production this week.