If you’ve had to substitute a Sophos UTM appliance at any time, you most probably would have lost all your logs. Following these screenshots, you will be able to log on to your UTM 9.xxx appliance and backup all of your valuable information logged on your appliances internal storage area.

First of all, you’ll need access via SSH to your machine. On your WebAdmin dashboard,  go to Management > System Setting > Shell Access and slide to SSH Shell Access to ON. Set both your root and loginuser passwords accordingly and allow the network you are on. Further down the page, you need to allow password authentication and/or public key authentication if you are logging with ‘root’. There is a workaround to give ‘loginuser’ permission to copy logs by typing the following command through SSH:

# loginuser
# su –
# usermod -G log loginuser
# exit

In this scenario, we are going to use public key authentication for root.

To generate a key, and to connect and download the needed logs, we will first need to download WinSCP and install the application.  Once we are all set, on the WinSCP main tab, go to Tools (bottom) and run PuTTYgen. Click on Generate and move the mouse within the grey area of the window to generate a strong random key.

SSH-2 RSA Key

SSH-2 RSA Key

Once it is done, select the entire window of the Public key for pasting into the UTMs Authorized Keys for root window.

Copied key

Copy Key for pasting into the UTM

To do so, select the ‘+’ sign below authentication (for root, not loginuser) and paste the copied key. Save by clicking ‘Apply’.

UTM 9.xxx SSH RSA Key

UTM 9.xxx SSH RSA Key

Back to the PuTTY Key Generator, save your newly created private key for use with your connection. Add a password to secure the use of the key in the future and store in a safe place.

On the initial window of WinSCP, add a new connection to your UTM and save it. Don’t forget to substitute the loginuser user name with root.

SCP add connection to UTM

SCP add connection to UTM

Before opening your connection, you will need to add the Key that was previously generated.

Go to ‘advanced’ and under SSH > Authentication, add the Private Key file that was saved earlier and save.

Adding the Key file to UTM SCP connection

Adding the Key file to UTM SCP connection

Again, make sure you are using the “root” user name. Only if you are joy accessing with SSH RSA key, you should use “loginuser” account and previously elevating its rights. If requested, type in the password of the key you generated. Once the connection is established, navegate therough the screens belos in order to reach to the ‘logs’ folder of your UTM appliance and copy what you need.

Connection to your UTM with root and private key

Connection to your UTM with root and private key

scp3

/root

/var

/var

/log

/log

All your UTM logs are here

All your UTM logs are here

Make sure you have enough space to copy your logs to from your UTM appliance to your local drive. Depending on the ‘history’ of logs saved, these might be several gigabytes.

To keep up with the latest IT Security issues and get top stories, kindly join us on Facebook and follow us on Twitter

Copyright 2017, TresW