Number of records in System Logs

Mariusz

Why does the firewall show only a few hundred logs at most? In the settings (/Monitor/Logs/System Logs) there is a selection showing that the limit can be up to 8000. Never before in my TZ370 has the number exceeded 1000.

Is it like that in all of them?

BWC

@Mariusz no the TZ 470 does not come with secondary store, the TZ 670 is the only one of the TZ series. The selection of Primary is greyed out and cannot be selected, but Secondary can, even it is not installed, which obviously will not work.

https://www.sonicwall.com/support/knowledge-base/supported-storage-modules-on-sonicwall-firewalls-running-sonicos-x-7-and-above/220301112927437

https://www.sonicwall.com/support/knowledge-base/new-storage-features-threat-system-audit-logs-and-pcaps-7-1-1-firmware/231128161815927

—Michael@BWC

BWC

@Mariusz yes, 02-SSC-3114 is the correct SKU for the 32 GB Secondary Storage which fits into the TZ 370.

If you're sure that having the System Logs on the Appliance without further analysis is enough, then it's a viable solution.

If you have the chance to do external logging via syslog, then you would have all possibilities for any kind of analysis. But this requires additional tools, like Graylog, FastVue, NSM etc. for getting the raw data into a nicer form.

—Michael@BWC

BWC

@Mariusz the TZ 370 does not have any storage for holding the logs, just a simple ring buffer (32 KB?) If it's filled up all the older events vanish.

The lower left corner of the table shows the max number of records available. The screenshot shows an TZ 670 for example which comes with internal storage.

—Michael@BWC

Mariusz

@BWC Can this buffer be increased?
I really don't understand why they made it so tiny.
Even 1MB is nothing compared to gigabytes of RAM.

What do you mean by internal storage?
Maybe you mean External Storage?

BWC

@Mariusz sadly the buffer cannot be increased, this was and still is a pain point with SonicWall Firewalls.

Sorry for the confusion, the correct term would be Primary and Secondary storage, both of them are "internal" (SSD). The TZ 670 comes with Secondary storage which can be used for saving logs. Primary storage cannot be used for logs, only on NSa 4700 and up.

—Michael@BWC

Mariusz

@BWC Thank you for the explanation. You write that TZ 670 comes with Secondary storage which can be used for saving logs - yes it has 32 GB built in. Please explain one more thing to me. On the screen you posted we see available "secondary storage device" and this is TZ470. Does this TZ470 have any additional storage? What is this storage?

Mariusz

Thanks, that explains a bit. With firmware 7.1.2 the windows look a bit different (see livedemo).

The descriptions have the names Secondary, External, Internal, Flexible - it's a bit confusing. The module is named External and in the GUI it's shown as Secondary. I'm planning to buy Storage Module M.2 SATA 32GB (02-SSC-3114). So after adding External Storage module (M.2 SATA) it will be possible to save system logs there?

Mariusz

@BWC Thank you very much for all the explanations.

I wonder if SonicWall will allocate more RAM (increase the buffer size) for logs in future firmware. I think it's worth doing.

Mariusz

TZ370 stopped sending system logs to FTP. This happened after changing the settings from sending "when full" to sending "daily". I only changed this one setting. After this change, only one sending occurred and then nothing. I did not restart the device - I am waiting for now. The change was made after installing the M.2 Storage Module 32GB - the logs are saved there. In this case, the option "when full" does not make sense.

Do I need to change anything in the FTP sending options when there is an additional Storage Module?

Mariusz

I have enabled saving system logs to the secondary Storage Device.
Searching in system logs does not work correctly.
After entering a search sequence, the search continues indefinitely.
It hangs after searching in 25,000 or 50,000 entries.
I am not satisfied with the operation of this storage module.

Larry

Tagging in here for reasons.

Looking at my own TZ270W running SonicOS 7.1.3-7015. I only manage to "get" around 100 entries in the System Log to review.

One client site this morning issued HPE alerts that the Aruba cloud devices were offline. They use a TZ470 that is still running SonicOS 7.0.1-5165. The System Log only displays between 30 to 50 entries.

So, to get a more evidence-based approach to viewing what's going on over time, I must update the firmware.

But will I also have to add a secondary storage module to be able to retain those logs? Because even though 7.1.3 allows for up to 8,000 entries, I don't think that device (never mind mine) would be able to display them without thrashing and preventing normal internet traffic.

Or am I simply making up stuff?

BWC

@Larry my TZ 670 with 32 GB secodary storage currently has around 139K system log entries, but only 8K of them are viewable in the UI. They are stored in 12.5K chunks which can be downloaded/exported manually. Sadly only one by one. No further analysis without external tools.

Without secondary storage the logs cannot be saved between reboots.

A customer TZ 470 maxed out at 874 entries, which was good for around 10 minutes of logging :)

Without external tools, logging is really no joy.

—Michael@BWC

Mariusz

I am surprised by such a small number of available system logs as you write. Before installing the M.2 Storage Module on the TZ370 (both 7.1.2 and 7.1.3) I could see about 800-900 logs. Currently in my TZ370 the logs are collected in the Strorage Module and there are almost 200000 of them now. Searching the logs usually takes quite a long time and sometimes the search hangs. The number 8000 is the maximum to display, but there may be more collected in Storage.