Please tell me this CAN'T be true...
jtpryan
Newbie ✭
We had an issue this morning where all internet activity was at a crawl. After checking everything else I tried to get on the Sonicwall (TZ270 SonicOS 7.x) and could not. It would present the login screen and accept the credentials but that was it, jus sit there with a blank screen and finally timeout. So we power cycled it.
Then I go to look at the logs. Nothing there before the power cycle. Nothing, no history at all. I had no filters set. Please tell me it doesn't clear the log on a power cycle. If not, is this indicative of something with the original problem? I have no way to debug it. Also, the Audit log is blank.
Category: Entry Level Firewalls
0
Answers
@jtpryan OK, I'am telling you this can't be true ... that you really believe the TZ 270 is able to do that. Sorry to break it you, but the logging is done in-memory in form of a ring-buffer (automatic overwrite when full) and gets lost after a power-cycle.
Only models with Secondary Storage can/should hold the logs persistently.
That's one of the downsides running SNWLs without external logging.
--Michael@BWC
@jtpryan - Yep, that's the design feature of these "Next Generation" firewalls. Pull the plug, lose the data - same as in Gen 6 and Gen 6.5.
Suggest you open the GUI in your browser and change the word mgmt to diag erase the rest of the URL and press Enter.
Click the Internal Settings button.
Change the Trace Log drop-down to All+Current and download that log.
Scroll to the bottom of the WRI file to see if anything pops out at you. If not, log a case with Support and provide this file to see if they can discern anything that might have caused the problem.
Good luck!
I'll throw my hat in the ring and say make sure you're running a recent firmware! Gen 7's early code was terrible!
If you have extra resources on a VM host, run a Debian syslog server and dump your firewall logs to that.
The 'Treacherous Three' strike again!
Every time you power down your sonicwall, the logs will be blank. There will be no codes at all. Anything support could have told you from your TSR was gone right there. I haven't supported much more than a 1050 with my old GMS account in a lot of years. Our network has one endpoint. I have TZs separating each individual dept. I run a constant syslog.
Never depend on a single appliance to give you accurate information. I live in a country where power outages are the norm. My servers are on battery power, but that lasts only so long.
Backups are your friend.
OK, lesson learned. So, can I connect a hard drive to that USB port and have the logs written to it?
@jtpryan nope, that would be to easy, depending on the TZ model there is space for an internal storage module.
Side-Note: Even on larger systems logging is far from perfect.
--Michael@BWC