When you have an active-passive Sophos UTM cluster, the configuration is synchronized between the nodes including logs files. This normally means that the log files on the Master and the Slave are the same, and retrieving the file from either of these is sufficient.
Sometimes, however, things go wrong. If the Master fails, it may not sync all the log data to the Slave node. The Slave will become active and continue to be the Master. In this case, it may be necessary to retrieve log files from a UTM cluster Slave node.
From the WebUI, there is no method to view the files on the Slave device. Interestingly, this is important because those log files can contain information about the cause of the failure.
I have also observed situations where the log replication between nodes fails, and the only way to get to the log data is to retrieve it from each node individually.
This guide will show how to connect to the Slave node, copy the file to the Active/Master node and then to your local machine.
By default, you can only connect to the Master (or Active) node. We will make use of an internal utility to access the Slave.
Here you will see the list of log files that are on the Slave node. You can use Linux tools such as cat/ tail / less etc. to interrogate the files, but you will probably want to copy the file off a box for further analysis, especially if you are dealing with a large file.
The IP address you are going to copy the file to will be 198.19.250.1 or 198.19.250.2 as these are internal addresses of the cluster nodes. To determine the IPs, use the following command and look at the "inet" value.
ip a | grep 198.19.250
You can copy the file to the Master with the following command. Specifying the alternate IP address.
scp afc.log [email protected]:/home/login/slave-afc.log
Once the file has been copied to the new location, you can access it directly.
The Master node now has a copy of the log file we need. Since we can connect to the Active node directly, we can use WinSCP to retrieve the file and copy it to our local Windows machine.
From here you can use your normal tools to interrogate the file for more details.
The HTTP.log file can be analysed by Fastvue Sophos Reporter using the historic log file import method, or by manually adding a Filesystem source.
Various other logs such as packetfilter, reverse proxy and DHCP can be imported and analyzed with Webspy Vantage.
Being able to connect to the Slave or Passive node in a cluster can be useful to troubleshoot errors. However, if the log files or log data are critical for legal or regulatory compliance, knowing how to retrieve these files is vital. Speaking from personal experience, knowing how to do this will come up at some stage.
For additional reading, please view our posts on Setting up a Sophos UTM High Availability Cluster, and Overcoming Sophos UTM HA Cluster Logging and Reporting Issues.
Did you know: Fastvue Sophos Reporter produces clean, simple, web usage reports using log data from your Sophos UTM that you can confidently send to department managers and HR team.
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Filtering and Forwarding Sophos UTM Syslog Data with Syslog-ng
Overcoming Sophos UTM HA Cluster Logging and Reporting Issues