-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How to browse though logs and sylogs in Virtual Appliance?
03/26/2020 
975 People found this article helpful
473,898 Views
Description
It is useful to see the real time syslogs and logs currently processing the Analyzer/GMS system. Below are some of the example how to navigate those logs and syslogs.
Resolution
1. To see if GMS receiving logs any specific firewall we can use the followings:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:17.215326 IP (tos 0x0, ttl 64, id 50710, offset 0, flags [DF], proto UDP (17), length 298)
192.168.177.58.syslog > mini8snwl.syslog: SYSLOG, length: 270
Facility local0 (16), Severity info (6)
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:15:17 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49169 appName="General DNS" n=2409400 src=172.22.100.251:49176:X0 dst=172.22.103.9:53:X0 proto=udp/dns sent=63 spkt=1 cdur=30616 fw_action="NA"
2. To see if we are receiving heartbeat from a specific firewall we can use the following:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C | grep m=96
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:16:45 UTC" fw=10.71.254.58 m=96 n=70660 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=60
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:17:45 UTC" fw=10.71.254.58 m=96 n=70661 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=61
3. To see if we are receiving syslogs from specific firewall:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:16:45 UTC" fw=10.71.254.58 m=96 n=70660 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=60
4. To see if the firewall is receiving syslog with correct priority (it is important to have the sylog in the correct priority, if the log settings too high or low it can have impact on reporting. For example 'No matching record found'):
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C | grep m=537 | grep pri=6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:34:51 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49169 appName="General DNS" n=2410169 src=172.22.100.251:55427:X0 dst=172.22.103.9:53:X0 proto=udp/dns sent=73 spkt=1 cdur=30100 fw_action="NA"
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:34:51 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49202 appName="General UDP" n=2410170 usr="Unknown (SSO failed)" src=192.168.177.222:1900:X3 dst=192.168.163.7:53334:X1 dstMac=02:17:c5:0f:51:57 proto=udp/53334 sent=2868 spkt=6 cdur=37750 fw_action="NA"
5. To see the real time log from any specific log file:
<
For example we like to see the real time Summarizer logs:
- Navigate /opt/GMSVP/Logs directory
[root@mini8snwl Logs]# tail -f StdVPSummarizer0.log
[Mon Jul 18 11:22:21 CEST 2016] Jul 18, 2016 11:22:21: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_091911_to_20160718_092211.unp
[Mon Jul 18 11:24:47 CEST 2016] Jul 18, 2016 11:24:47: [ETLProcess/run()]: ETL runs so far = 90611
[Mon Jul 18 11:25:18 CEST 2016] Jul 18, 2016 11:25:18: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_092211_to_20160718_092511.unp
[Mon Jul 18 11:28:19 CEST 2016] Jul 18, 2016 11:28:19: [DatabaseAdminTask/isDBConfigured()]: Local DB Configuation is in sync
[Mon Jul 18 11:28:20 CEST 2016] Jul 18, 2016 11:28:20: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_092511_to_20160718_092811.unp
6. To see the upgrade history of the Analyzer/GMS:
- Nevigate to /opt/GMSVP/conf directory
[root@mini8snwl conf]# cat upgradeHistory.log
Fri Sep 18 13:06:33 UTC 2015:sw_gmsvp_all_eng_8.0.hotfix.dts.161814.sig:hotfix:Analyzer IP Fix:161814:Success
Fri Sep 18 13:25:28 UTC 2015:sw_gmsvp_all_eng_8.0.hotfix.dts.161632.4.sig:hotfix:Support for SonicOS 6.2.4 and other fixes (Take-4):20150715:Success
Thu Nov 12 10:28:04 UTC 2015:sw_gmsvp_all_eng_8.0.sp1.10.sig:sp:Service Pack 1 for 8.0 (Take-10):20151029:Success
Related Articles
- Threat name in NSM SaaS/NSM On-Prem/Analytics
- Using GMS 9.3 to upgrade firmware on a group of firewalls
- On-Prem Analytics release version and build number correspondence table
YES
NO