Sophos Firewall log file rotation

This article was created with the help of a translation tool. Although we check the translation, errors in the content cannot be ruled out. Please bear this in mind when using the content. Thank you for your understanding.

Since SFOS 19.5.0 at the latest, the advanced shell offers the possibility to better customize the Sophos Firewall log file rotation (logrotation) according to your needs. This post explains the "how" and "where".

tested with SFOS 19.5.x to 21.0.x

Introduction

In version 19.5.0, some changes were made to the rotation of the log files. Unfortunately, I cannot say to what extent the Sophos Firewall log file rotation could be customized in previous releases. I am a friend of using current versions and have therefore not looked closely at previous versions. However, as far as I am correctly informed, this was not possible before (as an end user).

In this post I will show you where and how you can customize the configuration of the log file rotation. Feel free to try it out and share your experiences in the comments.

But first the obligatory maintenance:

The advanced shell should only be used and configured by experienced people. In particular, the use of the VI Editor should be familiar, as it has its very own syntax in operation(Help VI).
Incorrect use of the shell or incorrect configuration of the rotation can lead to undesirable side effects such as instability, crashes or full hard disks!
As always, configurations should be tested in advance in a test environment!
Always note how much memory you have available!

The "WHERE"

The configuration of the rotation is located in the directory "/static/logrotate". There are already two configurations in this directory. One file "big_logrotate.conf" and one file "small_logrotate.conf". As the name suggests, one file contains more data than the other.

The configuration is selected via a symlink "logrotate.conf" that points to one of the two configurations. You can therefore store several configurations and quickly switch back and forth by adjusting the link.

Sophos Firewall log file rotation
Listing of the configuration files. Current configuration (symlink) = big_logrotate.conf

The "HOW"

Basic

Mount file system write

Before making any changes, the file system must first be mounted for writing.

Advanced Shell - Mount file system write
mount -rw remount /

From now on you can create or edit new configurations.

Please mount the file system read-only again after completion and do not leave it in this state.

Advanced Shell - Mount file system reading
mount -ro remount /

Create and edit your own configurations

You should always leave the original configurations as they are so that you have a way back.
Therefore, you first create a new configuration. Use the following command to copy the "big_logrotate.conf" to a new file - here: "my_config01.conf".
You can change the name of the target file as you wish.

Advanced Shell - Create new configuration
cp /static/logrotate/big_logrotate.conf /static/logrotate/my_config01.conf

The new configuration is now available in the "/static/logrotate" directory. You can edit the file as you wish using "vi". You will find a few hints below

Please remember to mount the file system read-only again as described above!

Activate other configuration

A different configuration can be activated with the following command. However, first check in the directory which original configuration is active on your firewall with a "ls -ls /static/logrotate" so that you can switch back to the original at the end.

Advanced Shell: Apply other configuration
cd /static/logrotate
ln -sf /static/logrotate/my_config01.conf  logrotate.conf

The command overwrites the existing symlink "logrotate.conf" with your new destination ("my_config01.conf")

The new configuration is now active. You don't need to do anything else here. In my tests, the new configuration was immediately active without restarting any services.

Please remember to mount the file system read-only again as described above!

Activate original configuration

The original configuration can be reactivated with the following command. If a different configuration was active, please replace "big_logrotate.conf" with the corresponding file.

Advanced Shell: Apply original configuration
cd /static/logrotate
ln -sf /static/logrotate/big_logrotate.conf  logrotate.conf

Please remember to mount the file system read-only again as described above!

Adjustments to the configuration

In this block I will introduce you to a few customizations that you can use. The list is not complete, but in my opinion it is sufficient for the most important requirements. After all, it is only intended for troubleshooting.

How is the configuration structured

Global settings

There are a few global settings at the top of the configuration file

  • compress
    Rotated files should be compressed
  • dateext
    Compressed files should have a date appended to them
  • dateformat -%Y% m %d_%H%M%S
    The date format for the rotated files
  • missingok
    If the log file is not available, no error message is generated and processing continues.
  • copytruncate
    This option truncates the original log file after it has been copied. Normally the old log file is renamed and a new one is created. Do not remove this option, otherwise empty log files will be created!
  • rotate 2
    Number of versions retained including the current one. Here: 2
Dedicated settings per file

The dedicated settings are customizations for individual log files. The original files already contain several blocks that are structured as follows and speak for themselves in terms of content.

Make sure that you do not create multiple configurations for one and the same log file. If you make your own settings for a file in a separate block, please comment out the existing entry with '#'. Otherwise there may be undesirable side effects.

#128MB
"/log/reverseproxy.log"
/log/smtpd_main.log
{
    size 128M
    rotate 3
}
Settings

Below you will find a few settings that you can set per block (and probably also globally - but I've never tested globally!).

  • size size
    Size of the file from which the log rotation should take effect. The second parameter is the desired size. Examples:
    • size 128M
    • size 50K
  • rotate count
    count as an integer specifies how many files are to be kept. If not set, the global value is used. The value includes the current log file.
  • delaycompress
    The rotated log file is only compressed from the next run if rotate is greater than 2. This means that the previous log file can still be read directly and does not have to be unpacked first.

Further settings can also be looked up here: man7.org
However, the above settings should be sufficient for most cases.

Have fun trying them out!

Leave a Reply

Comments are not displayed directly, as they are released in moderation.


WordPress Cookie Plugin by Real Cookie Banner