Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicWALL ESA 5000 not displaying Inbound/Outbound message audit logs

SoncWALL ESA 5000 stopped displaying any Inbound/Outbound message logs and connection logs since Jan 01, 2021. Capture APT center still shows recently scanned email attachements. Both IN/OUT emails are working though!

Any advice please?

Category: Email Security Appliances
Reply

Best Answers

  • CORRECT ANSWER
    David WDavid W SonicWall Employee
    edited January 5 Accepted Answer

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • CORRECT ANSWER
    David WDavid W SonicWall Employee
    Accepted Answer

    The searchdb has to be rebuilt in order to process all the messages that were not processed since Late Friday.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

Answers

  • RobertKRobertK Newbie ✭

    They have a similar problem, as MS has with Exchange and the Y2K22... The searchengine log of our ESA5000 shows masses of:

    {"type":"FATAL", "line":" 37", "time":"2022-01-01T19:50:45,440", "user":"", "logger":"com.sonicwall.common.HandleException:doCriticalAlertAndLogExceptionToFile()", "msg":"Exception: For input string: "2201010316"", "exp":" java.lang.NumberFormatException: For input string: "2201010316" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_292]" }

    Techsupport told me, that devs are looking into the problem. Waiting for firmware update...

    Robert

  • BWCBWC Cybersecurity Overlord ✭✭✭

    That's a bummer, HES is not affected it's a on-prem thing only it seems.

    --Michael@BWC

  • DTHAPADTHAPA Newbie ✭

    Seems like usual business for SonicWALL. Fix one thing and at the same time break another thing!

  • DTHAPADTHAPA Newbie ✭

    OOPS.....!! Tried rebooting and rebuilding searchdb as per the below KB but no luck. Now my ESA is stuck at 97% since 12 Hrs.

    https://www.sonicwall.com/support/knowledge-base/auditing-junk-box-is-not-showing-latest-emails-with-an-alert-database-corrupted/170504922247917/

  • DTHAPADTHAPA Newbie ✭
    edited January 3

    Got update from SonicWALL that the Devs are testing the hotfix for this issue. Offered the engineering build to test but I decided to wait for the final one, thought they said the same build is applied on Hosted Email Security environment.

    Until then, no message logs, no connecton logs, no Junk email logs!

    Thanks!

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @DTHAPA Y2K22 just 3 days in and it's starting great so far for ES and Exchange customers, can't wait what the remaining 362 days will bring :)

    --Michael@BWC

  • DTHAPADTHAPA Newbie ✭

    @BWC Probably more Exchange bugs and vulns ahead! I was planning to move Exchange to Office 365 with SNWL HES or SNWL Cloud App Security but now .... its, meh!

  • David WDavid W SonicWall Employee
    edited January 5

    Hosted was updated already and should not be an issue.

    All on prem ES windows or appliance need to do the following.

    The builds are in process of web posting so if you want to wait you can but we have provided some temporary links to the builds.


    1. Update the unit with newer build

    2. Note that Junkbox and Auditing pages show no data

    3. Go to diag page and Click on Administrator Tools. (when logged into the UI change the url to diag.html and click administrator tools then basic commands)

    4. Under Basic Commands, click on -rebuildsearchdb and follow the prompt and click Execute.

    5. Go back to Junkbox page and make sure data is getting rebuilt with newer timestamps. (this may take a few minutes to get started you will need to refresh the page)

    6. Go back to Message Logs page and make sure data is getting rebuilt with newer timestamps. (this may take a few minutes to get started you will need to refresh the page)

    7. Newer mail that is flowing should show up at the top of page from time to time

    8. Rebuild progress should show up at the top of each page.


    You do not need to create a dropbox account to get to these, if prompted ignore.


    All Email Security Appliances including Virtual: {removed}

    All Windows install, Run on Server do not upload in UI: {removed}

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • tbrametbrame Newbie ✭

    Any chance we can get a URL directly from a Sonicwall domain? Honestly, I'm not sure many folks (me included) would EVER trust installing anything from a random DropBox URL.

  • David WDavid W SonicWall Employee

    Yes Once it's web posted, but I can't tell you when that will be yet.

    If you have a case open we can see about posting it to the case.

    However that will also take time.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • David WDavid W SonicWall Employee

    Both links appear to not be working now.

    404 errors appear to be generated..

    Will see about alternate place to share from.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W thanks for the Files, worked like a charm and the logs are back.

    --Michael@BWC

  • DTHAPADTHAPA Newbie ✭

    @BWC Glad that worked for you. Did you try reuilding the searchdb after upgrade or worked out simply after uploading the new firmware?

    @David W I have ES 5000 and going to give a try!

  • David WDavid W SonicWall Employee

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • DTHAPADTHAPA Newbie ✭
    edited January 3

    Perfect! It worked for me. All the messages (Inbound/Outbound, Junk Box, Connection Logs) are appearing progressively. Messages appears to be in Location: Queue but I guess its normal and would mark correctly later once rebuildsearchdb process is completed.

    Sitting back and enjoying the coffee!

    Thanks, @David W !

  • RobertKRobertK Newbie ✭

    Perfect, working at our site, too!

    Thanks,

    Robert

  • MEGITMEGIT Newbie ✭
    edited January 3

    The update went fine for our Windows based Installation and new incoming/outgoing/junk mails are now visible in the logs again. Also the rebuild of the searchdb has added the backlog of the last 3 days correctly. Unfortunatly the rebuild gets stuck at 9X% for incoming/outgoing mail (junkbox and connections finish correctly) every time and never finishes :(

    Also i’ve noticed that mlfclean seems to be unable to clean any content newer than 01/01/2022 (i‘ve set the retention time to 1 day and have run mlfclean in an attempt to debug the stuck rebuild, but only stuff older than 01/01/2022 was removed correctly) so there seems to be annother issue @David W

  • David WDavid W SonicWall Employee
    edited January 3

    You will always have upwards of 3 days data even if you set retention to only 1 day.

    Give the rebuild time.

    In some cases the last few percent can take a long time.

    If anything I would look for really old data that should have been cleared.

    That is normally the cause of issues like that.


    I tested MLFclean and it is working properly in my tests.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • SonicAdmin80SonicAdmin80 Enthusiast ✭✭

    I'm late to the party, the sonicwall.com links don't work anymore. Dropbox still seems to work but I'd at least like to see checksums to verify before using those. Or do I have to wait until Thursday to be able to update?

  • David WDavid W SonicWall Employee

    @SonicAdmin80 Do you have a case open presently for this?

    I would suggest opening one and we can work from there.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SonicAdmin80 I downloaded it via Dropbox and from the provided link in the KB-article. Both have the same MD5 checksum.

    MD5 (es-10.0.14.7229-linux-Haswell-updater-der-signed.sh) = 8a0d857efaa05144745fd6beeec7a738
    

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Enthusiast ✭✭

    Looks like the article now says it should be released today, so I can wait since unjunking seems to still work.

  • SonicAdmin80SonicAdmin80 Enthusiast ✭✭

    The updates have been released. They are labeled as "32-bit upgrade" and "64-bit upgrade". Is there such a thing as 32-bit version? Shouldn't they be "64-bit new install" and "64-bit upgrade"?

  • David WDavid W SonicWall Employee

    @SonicAdmin80 Use the 64 bit upgrade file.

    the other one is mislabeled and is the OVA file to deploy a new VA.

    I informed Product Management about it already

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W the official released Firmware is 10.0.15 and the pre-release is 10.0.14. I deployed 10.0.14 as a quick solution for my customers. Are there any changes in 10.0.15 (like an updated log4j 2.17.1) which makes another upgrade reasonable or can I stick with 10.0.14?

    --Michael@BWC

  • David WDavid W SonicWall Employee

    @BWC 10.0.15 is 10.0.14 with an auto searchdb rebuild function built in if the version is less than 10.0.14

    Nothing else.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

Sign In or Register to comment.