Troubleshooting Sophos UTM's Remote Log Archive Feature

As mentioned in my previous article, configuring Sophos UTM's Remote Log Archive feature not only gives you access to historical data for reporting on previous incidents, but it can also be used in Fastvue Sophos Reporter to fill in any gaps if the syslog stream is interrupted.

After configuring the Remote Log Archive feature, you should check the shared folder the next day for new log files, as Sophos UTM's archive procedure occurs at midnight each night. If no files have been copied, or if you can't wait until midnight to test, here is a useful test procedure.

Testing and Troubleshooting the Remote Log Archive

Unfortunately, there is no handy Test button to verify if your remote log archive is working correctly. The troubleshooting process below is a little lengthy, but not difficult, and gives you a command you can run to test the log archive process.

Step 1 - Enable Shell Access On The Sophos UTM

First of all, you need to get to the command line of the Sophos UTM and the way to do this is to enable shell access.

1. From the UTM Management interface select Management | System Settings and select the Shell Access tab
2. Toggle the switch in the top right to turn on Shell Access.
3. Under Allowed Networks, specify the Internal Network and click Apply
4. For Authentication check Allow password authentication and click Apply
5. For Shell user passwords specify and repeat a password for loginuser and click Set specified password.

Step 2 - SSH to the Sophos UTM and Test

You will execute this on the Sophos UTM and then check for the output file in your file share.

1. Use an SSH tool of choice (such as putty) and connect to your Sophos UTM.
2. Log in with the username loginuser and specify the password you specified earlier.
3. Execute the following command to test the archive operation.

 logarchiver.plx -t -d 15

This will force the Sophos UTM to attempt to create small text file in the remote log archive location. The output from the command is quite verbose but provides you with relevant information as to why the remote log archive process has succeeded or failed.

I hope this helps anyone having issues with the Sophos UTM's Remote Log Archive feature. Good luck!