How To Retrieve Log Files From a Sophos UTM Cluster Slave Node

When you have an active-passive Sophos UTM cluster, the configuration is synchronized between the nodes including logs files. This normally means that the log files on the Master and the Slave are the same, and retrieving the file from either of these is sufficient.

Sometimes, however, things go wrong. If the Master fails, it may not sync all the log data to the Slave node. The Slave will become active and continue to be the Master. In this case, it may be necessary to retrieve log files from a UTM cluster Slave node.

From the WebUI, there is no method to view the files on the Slave device. Interestingly, this is important because those log files can contain information about the cause of the failure.

I have also observed situations where the log replication between nodes fails, and the only way to get to the log data is to retrieve it from each node individually.

This guide will show how to connect to the Slave node, copy the file to the Active/Master node and then to your local machine.

Connect to the Sophos UTM cluster Slave node

By default, you can only connect to the Master (or Active) node. We will make use of an internal utility to access the Slave.

1. Navigate to Management | System Settings | Shell Access and enable shell access on the Sophos UTM.
2. Using Putty, SSH to the Sophos UTM cluster and log in with the loginuser account.
3. Elevate yourself to root with su - and specifying a password. This will connect you to the Master.
4. Connect through to the Slave node using ha_utils ssh.
5. Specify the password associated with loginuser.
6. Change to the log folder with cd/var/log and check the file content and size with ls -s.

Here you will see the list of log files that are on the Slave node. You can use Linux tools such as cat/ tail / less etc. to interrogate the files, but you will probably want to copy the file off a box for further analysis, especially if you are dealing with a large file.

Copy the file to the Master node

The IP address you are going to copy the file to will be 198.19.250.1 or 198.19.250.2 as these are internal addresses of the cluster nodes. To determine the IPs, use the following command and look at the "inet" value.

ip a | grep 198.19.250

You can copy the file to the Master with the following command. Specifying the alternate IP address.

scp afc.log [email protected]:/home/login/slave-afc.log

Once the file has been copied to the new location, you can access it directly.

Copy the file off the Sophos UTM cluster

The Master node now has a copy of the log file we need. Since we can connect to the Active node directly, we can use WinSCP to retrieve the file and copy it to our local Windows machine.

1. Start WinSCP and connect to the Sophos UTM
2. Log in with loginuser
3. By default, you will be in the /home/login directory and your file should be there.
4. On the left-hand pane navigate to the desired destination folder on your machine.
5. Select the log file on the right and drag it over to the left-hand pane to copy it to your local machine

From here you can use your normal tools to interrogate the file for more details.

The HTTP.log file can be analysed by Fastvue Sophos Reporter using the historic log file import method, or by manually adding a Filesystem source.

Various other logs such as packetfilter, reverse proxy and DHCP can be imported and analyzed with Webspy Vantage.

Conclusion

Being able to connect to the Slave or Passive node in a cluster can be useful to troubleshoot errors. However, if the log files or log data are critical for legal or regulatory compliance, knowing how to retrieve these files is vital. Speaking from personal experience, knowing how to do this will come up at some stage.

For additional reading, please view our posts on Setting up a Sophos UTM High Availability Cluster, and Overcoming Sophos UTM HA Cluster Logging and Reporting Issues.

Did you know: Fastvue Sophos Reporter produces clean, simple, web usage reports using log data from your Sophos UTM that you can confidently send to department managers and HR team.

Why use Fastvue over Sophos iView?