SonicWALL ESA 5000 not displaying Inbound/Outbound message audit logs
Best Answers
David W SonicWall Employee
Please see the following:
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
3 -
David W SonicWall Employee
The searchdb has to be rebuilt in order to process all the messages that were not processed since Late Friday.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
They have a similar problem, as MS has with Exchange and the Y2K22... The searchengine log of our ESA5000 shows masses of:
{"type":"FATAL", "line":" 37", "time":"2022-01-01T19:50:45,440", "user":"", "logger":"com.sonicwall.common.HandleException:doCriticalAlertAndLogExceptionToFile()", "msg":"Exception: For input string: "2201010316"", "exp":" java.lang.NumberFormatException: For input string: "2201010316" at java.lang.NumberFormatException.forInputString( ~[?:1.8.0_292]" }
Techsupport told me, that devs are looking into the problem. Waiting for firmware update...
That's a bummer, HES is not affected it's a on-prem thing only it seems.
Seems like usual business for SonicWALL. Fix one thing and at the same time break another thing!
OOPS.....!! Tried rebooting and rebuilding searchdb as per the below KB but no luck. Now my ESA is stuck at 97% since 12 Hrs.
Got update from SonicWALL that the Devs are testing the hotfix for this issue. Offered the engineering build to test but I decided to wait for the final one, thought they said the same build is applied on Hosted Email Security environment.
Until then, no message logs, no connecton logs, no Junk email logs!
@DTHAPA Y2K22 just 3 days in and it's starting great so far for ES and Exchange customers, can't wait what the remaining 362 days will bring :)
@BWC Probably more Exchange bugs and vulns ahead! I was planning to move Exchange to Office 365 with SNWL HES or SNWL Cloud App Security but now .... its, meh!
Hosted was updated already and should not be an issue.
All on prem ES windows or appliance need to do the following.
The builds are in process of web posting so if you want to wait you can but we have provided some temporary links to the builds.
1. Update the unit with newer build
2. Note that Junkbox and Auditing pages show no data
3. Go to diag page and Click on Administrator Tools. (when logged into the UI change the url to diag.html and click administrator tools then basic commands)
4. Under Basic Commands, click on -rebuildsearchdb and follow the prompt and click Execute.
5. Go back to Junkbox page and make sure data is getting rebuilt with newer timestamps. (this may take a few minutes to get started you will need to refresh the page)
6. Go back to Message Logs page and make sure data is getting rebuilt with newer timestamps. (this may take a few minutes to get started you will need to refresh the page)
7. Newer mail that is flowing should show up at the top of page from time to time
8. Rebuild progress should show up at the top of each page.
You do not need to create a dropbox account to get to these, if prompted ignore.
All Email Security Appliances including Virtual: {removed}
All Windows install, Run on Server do not upload in UI: {removed}
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
Any chance we can get a URL directly from a Sonicwall domain? Honestly, I'm not sure many folks (me included) would EVER trust installing anything from a random DropBox URL.
Yes Once it's web posted, but I can't tell you when that will be yet.
If you have a case open we can see about posting it to the case.
However that will also take time.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
Both links appear to not be working now.
404 errors appear to be generated..
Will see about alternate place to share from.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
@David W thanks for the Files, worked like a charm and the logs are back.
@BWC Glad that worked for you. Did you try reuilding the searchdb after upgrade or worked out simply after uploading the new firmware?
@David W I have ES 5000 and going to give a try!
IN addition here is the KB link on this.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
Perfect! It worked for me. All the messages (Inbound/Outbound, Junk Box, Connection Logs) are appearing progressively. Messages appears to be in Location: Queue but I guess its normal and would mark correctly later once rebuildsearchdb process is completed.
Sitting back and enjoying the coffee!
Thanks, @David W !
Perfect, working at our site, too!
The update went fine for our Windows based Installation and new incoming/outgoing/junk mails are now visible in the logs again. Also the rebuild of the searchdb has added the backlog of the last 3 days correctly. Unfortunatly the rebuild gets stuck at 9X% for incoming/outgoing mail (junkbox and connections finish correctly) every time and never finishes :(
Also i’ve noticed that mlfclean seems to be unable to clean any content newer than 01/01/2022 (i‘ve set the retention time to 1 day and have run mlfclean in an attempt to debug the stuck rebuild, but only stuff older than 01/01/2022 was removed correctly) so there seems to be annother issue @David W
You will always have upwards of 3 days data even if you set retention to only 1 day.
Give the rebuild time.
In some cases the last few percent can take a long time.
If anything I would look for really old data that should have been cleared.
That is normally the cause of issues like that.
I tested MLFclean and it is working properly in my tests.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
I'm late to the party, the links don't work anymore. Dropbox still seems to work but I'd at least like to see checksums to verify before using those. Or do I have to wait until Thursday to be able to update?
@SonicAdmin80 Do you have a case open presently for this?
I would suggest opening one and we can work from there.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
@SonicAdmin80 I downloaded it via Dropbox and from the provided link in the KB-article. Both have the same MD5 checksum.
Looks like the article now says it should be released today, so I can wait since unjunking seems to still work.
The updates have been released. They are labeled as "32-bit upgrade" and "64-bit upgrade". Is there such a thing as 32-bit version? Shouldn't they be "64-bit new install" and "64-bit upgrade"?
@SonicAdmin80 Use the 64 bit upgrade file.
the other one is mislabeled and is the OVA file to deploy a new VA.
I informed Product Management about it already
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge
@David W the official released Firmware is 10.0.15 and the pre-release is 10.0.14. I deployed 10.0.14 as a quick solution for my customers. Are there any changes in 10.0.15 (like an updated log4j 2.17.1) which makes another upgrade reasonable or can I stick with 10.0.14?
@BWC 10.0.15 is 10.0.14 with an auto searchdb rebuild function built in if the version is less than 10.0.14
Nothing else.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security, Cloud Secure Edge