Sophos Firewall reverseproxy.log analysis script

English translations

This post was translated with the help of a translation tool. Therefore, occasional errors are possible. An error-free version is available in German

This page is also available in: Deutsch (German)

A Sophos Firewall reverseproxy.log analysis script which helps to analyze errors and find thread IDs in the reverseproxy.log file. The thread IDs found are displayed in a quickly readable format.

tested with SFOS 19.5.x to 20.0.x

Introduction

Anyone who has ever set up a WAF on the Sophos firewall will know that finding thread IDs is extremely tedious. As I regularly configure WAFs for my customers, the collection of shell commands in my collection was getting longer and longer. A more practical solution was needed. Especially as the output was still difficult to read. From this, the Sophos Firewall reverseproxy.log analysis script offered here was born.

Read on and find out what the script can – or cannot – do.

Have fun analyzing! 😀

Attention

This script does not make any changes to the system. However, as always, caution is advised when using the shell. If you have no experience in using the shell, please ask for support here in the comments or contact your Sophos partner.
We assume no responsibility for errors that may occur when using the script. Use at your own risk and should always be done in a test environment first.

Requirements

The following requirements must be met in order to use the script:

  • SFOS 19.5.0 to 20.0.x (earlier and later versions may need to be tested)
  • Shell access to the firewall
  • Basic knowledge of using the shell

What can the script (not) do?

What is possible?

The script can evaluate the following information and display it in a readable format:

  • List thread IDs for current events
  • List thread ID’s for past events
  • List how often thread ID’s have been logged
  • Filter by FQDN and/or source IP
  • List all entries with error or warning with blank line between entries
  • Combinations of the listed functions

What is not possible?

The script cannot do the following:

  • Display all fields of a log entry legibly
  • Evaluate all errors. The focus is on the thread IDs
  • Guarantee that the output is always readable. As the variations of the entries are very diverse, it may not be possible to display every line in a readable format.
  • Guarantee that the output of the thread IDs is complete
  • Guarantee that there are no other errors which are simply not displayed

Usage / parameters

The script can be controlled via several parameters. In general, the script is started as follows if it is located in the /tmp directory.

Advanced Shell – Starting the Script
sh /tmp/waf_analyzer.sh

Without parameters, the file “/log/reverseproxy.log” is evaluated and the thread IDs are displayed live. There is no filtering according to the client IP or the server FQDN.

Parameter

-h

Displays help on the parameters.

-c 169.254.254.254

Filters according to the source IP address and only outputs matching lines.
The parameter is optional.

-d demo.it-tech.wiki

Filters by FQDN of the WAF and only outputs matching lines.
Upper and lower case is not important.
It is also possible to search only for parts of the FQDN. E.G.: -d it-tech
The parameter is optional – but mandatory for “-s”.

-q history

Instead of new data (live), the old data can be displayed.
The parameter is optional and can be combined with “-t”. If “-t” is not specified, “-t lasthour” is set.

-t lasthour

Possible values are:
– “lasthour” = the last 60-120 minutes (depending on the current time)
– “today” = everything from the current day
– “yesterday” = everything from yesterday
– “all” = all data contained in the log file
The parameter is required for “-q history”. If it is not set, “lasthour” is set.
Can be combined with all parameters.

s

Displays the frequency of occurrence of thread IDs in the time period of the “-t” parameter. If -t is not set, “lasthour is set”.
The parameter “-d domain” is also required.
The parameter is optional.

-e

This parameter is not used to evaluate the thread IDs. All lines containing the word “error” or “warning” are output. An empty line is output between the entries for better readability.
Can be combined with -c, -d, -q, -t
The parameter is optional.

-f /tmp/otherlog.log

If a log file other than “/log/reverseproxy.log” is to be used, this can be set with this parameter.
The parameter is optional.

-r

By default, the script outputs a small summary of the parameters and the command line to be executed before execution and then starts after 5 seconds.
With -r this is skipped and the output starts directly.
The parameter is optional.

Screenshots

Sophos Firewall reverseproxy.log analysis script
Display of help
Sophos Firewall reverseproxy.log analysis script
Listing of thread IDs
Sophos Firewall reverseproxy.log analysis script
Display error
Sophos Firewall reverseproxy.log analysis script
Counter thread IDs

Installation

Direct download

The easiest way is to call the following command on the advanced shell. The “Installer” loads the current version into the /tmp directory and renames any old versions of the script. The script can then be used directly.

Advanced Shell – Install Script on Firewall
curl -L -s -o /tmp/install_waf_analyzer.sh  https://it-tech.wiki/wafinstaller && sh /tmp/install_waf_analyzer.sh && rm /tmp/install_waf_analyzer.sh

Manual upload

If you prefer to load the script manually onto the firewall, you can download it here and place it on the firewall yourself.

Download

waf_analyzer.sh (Version: 0.7)
13.07 KB

For example, tools such as WinSCP can be used to upload to the Sophos Firewall.

Questions

  • Does the script make changes to the firewall?
    No, the script only reads the lines of the log file and outputs the results directly to the shell. No files in the system are changed.As the script can be read in plain text, you are welcome to check this.
  • I have found an error. Where can I report it?
    You can report errors using the contact form or in the comments.
  • How do I remove the script from the system?
    Simply delete the file waf_analyzer_X.X.sh in the /tmp directory. For example: rm /tmp/waf_analyzer_0.7.sh
  • I have a request for the script. Where can I report it?
    You can report errors via the contact form or in the comments.

Copyright

Sharing the files is permitted. A reference to the IT-Tech.wiki website would be nice.

Public provision on other web servers is not permitted! Please ask if required.

Leave a Reply

Your email address will not be published. Required fields are marked *


WordPress Cookie Plugin by Real Cookie Banner