How to browse though logs and sylogs in Virtual Appliance?
03/26/2020 
973 
12097
DESCRIPTION:
It is useful to see the real time syslogs and logs currently processing the Analyzer/GMS system. Below are some of the example how to navigate those logs and syslogs.
RESOLUTION:
1. To see if GMS receiving logs any specific firewall we can use the followings:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:17.215326 IP (tos 0x0, ttl 64, id 50710, offset 0, flags [DF], proto UDP (17), length 298)
192.168.177.58.syslog > mini8snwl.syslog: SYSLOG, length: 270
Facility local0 (16), Severity info (6)
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:15:17 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49169 appName="General DNS" n=2409400 src=172.22.100.251:49176:X0 dst=172.22.103.9:53:X0 proto=udp/dns sent=63 spkt=1 cdur=30616 fw_action="NA"
2. To see if we are receiving heartbeat from a specific firewall we can use the following:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C | grep m=96
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:16:45 UTC" fw=10.71.254.58 m=96 n=70660 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=60
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:17:45 UTC" fw=10.71.254.58 m=96 n=70661 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=61
3. To see if we are receiving syslogs from specific firewall:
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:16:45 UTC" fw=10.71.254.58 m=96 n=70660 i=60 lic=0 pt=80.443 usestandbysa=0 dyn=n.e ai=1 fwlan=172.22.100.251 conns=60
4. To see if the firewall is receiving syslog with correct priority (it is important to have the sylog in the correct priority, if the log settings too high or low it can have impact on reporting. For example 'No matching record found'):
[root@mini8snwl syslogs]# tcpdump -v -i eth0 src 192.168.177.58 | grep C0EAE481991C | grep m=537 | grep pri=6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:34:51 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49169 appName="General DNS" n=2410169 src=172.22.100.251:55427:X0 dst=172.22.103.9:53:X0 proto=udp/dns sent=73 spkt=1 cdur=30100 fw_action="NA"
Msg: id=firewall sn=C0EAE481991C time="2016-07-19 14:34:51 UTC" fw=10.71.254.58 pri=6 c=1024 m=537 msg="Connection Closed" app=49202 appName="General UDP" n=2410170 usr="Unknown (SSO failed)" src=192.168.177.222:1900:X3 dst=192.168.163.7:53334:X1 dstMac=02:17:c5:0f:51:57 proto=udp/53334 sent=2868 spkt=6 cdur=37750 fw_action="NA"
5. To see the real time log from any specific log file:
<
For example we like to see the real time Summarizer logs:
- Navigate /opt/GMSVP/Logs directory
[root@mini8snwl Logs]# tail -f StdVPSummarizer0.log
[Mon Jul 18 11:22:21 CEST 2016] Jul 18, 2016 11:22:21: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_091911_to_20160718_092211.unp
[Mon Jul 18 11:24:47 CEST 2016] Jul 18, 2016 11:24:47: [ETLProcess/run()]: ETL runs so far = 90611
[Mon Jul 18 11:25:18 CEST 2016] Jul 18, 2016 11:25:18: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_092211_to_20160718_092511.unp
[Mon Jul 18 11:28:19 CEST 2016] Jul 18, 2016 11:28:19: [DatabaseAdminTask/isDBConfigured()]: Local DB Configuation is in sync
[Mon Jul 18 11:28:20 CEST 2016] Jul 18, 2016 11:28:20: [FileProcessor/call()]: Finished processing syslog file: 1_20160718_092511_to_20160718_092811.unp
6. To see the upgrade history of the Analyzer/GMS:
- Nevigate to /opt/GMSVP/conf directory
[root@mini8snwl conf]# cat upgradeHistory.log
Fri Sep 18 13:06:33 UTC 2015:sw_gmsvp_all_eng_8.0.hotfix.dts.161814.sig:hotfix:Analyzer IP Fix:161814:Success
Fri Sep 18 13:25:28 UTC 2015:sw_gmsvp_all_eng_8.0.hotfix.dts.161632.4.sig:hotfix:Support for SonicOS 6.2.4 and other fixes (Take-4):20150715:Success
Thu Nov 12 10:28:04 UTC 2015:sw_gmsvp_all_eng_8.0.sp1.10.sig:sp:Service Pack 1 for 8.0 (Take-10):20151029:Success
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
