Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1644 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Large log files with only ip instead of visited URLs in log files

Ramin Nodehi

Hello every one.

I had TMG2010 for about 7 years in my network. I could get any report from third party software such as sawmill,webspy,fastvue,manageengine firewall analyzer from TMG2010 wc3 log files format. Then i replaced TMG2010 with a sophos xg 450. It works good except in logging and reporting! When i had TMG2010 , for about 800 users i had 5-7GB log files per day but when i send sophos xg logs via syslog to a syslog server such as kiwi syslog server(only users web activities and IPS logs), i get 25-30GB log files per day! It's very awful to save such a large log files for about 3 months. Is there any good software to get and save detailed report from sophos xg logs about user activities? Does iView or any other software can do logging and reporting very well for sophos? I tested fastvue for sophos, but it  is not a complete solution, for example i couldn't get who used RDP protocol.

Also another problem that i have is this: When i had TMG2010 in my network, because it was in proxy mode, so i could get users reports based on visited URLs. But because sophos is not configured in proxy mode and users first query dns servers, then in sophos xg we have only IPs instead of URLs for users. For example : userA visited this IP, but what URL is being assigned to this IP is not clear. How can i solve this problem too?

Thanks for any help.



This thread was automatically locked due to age.
  • 0 in reply to Keyur

    Hello,

    Thanks for your reply . I'm downloading iView, I'll install and use it.

    But about my second question: With sophos installed in non-proxy mode , does the URL problem solve with iView ?

  • 0 in reply to Ramin Nodehi

    Hi,

    what do you mean proxy mode. The XG proxy is transparent as well as full proxy and can work in both modes simultaneously.

    You implement by turning on http and https scanning in your firewall rules, without them the sites will not be classified.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    The exact problem is this :

    Every time we set the proxy address in user browser or in their applications, then we can see the URLs such as sophos.com in the log files for that user.

    But when we don't  set proxy in any application then this scenario happens : the user requests sophos.com, then user computer queries the dns servers of it's network settings and gets the ip address of sophos.com, in the following it requests through it's gateway (sophos xg)  the ip address of sophos.com  and what happens ? only the ip address of visited web site is saved in log files. So you can get reports for users based on only the ip addresses of visited web sites not the URLs.

    I can solve the problem by using full proxy but i don't want this solution.

    I hope i have said  what I mean.

    Best Regards.

    Ramin

  • 0 in reply to Ramin Nodehi

    Hi,

    you can use transparent proxy, but to get eh URL to appear in the reports you will need to implement https scanning which will mean installing the XG CA on every device.

    One thing I missed is what is your DNS, the XG or your server? Does the DNS point at the XG eg is the XG part of the name resolution?

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    In my network i have zone and core switches, and the sophos xg is the last hop in my network for getting to internet. In sophos i use nat to route users traffic to internet.

    But about the DNS : because i have Active Directory so i use local dns servers for users, and in the dns servers i set forwarder to sophos xg for internet domain names. So sophos do  all external name resolutions for internal users.

    A question for iView: can iView cross check dns queries of a specific user with the IPs of visited web sites that have been saved in log files and after matching , report user activity based on URLs not IPs? 

    Ramin

  • 0 in reply to Ramin Nodehi

    Hi,

    have you had a look at the logviewer -> web report that shows I think what you are after, but I don't know how to extract that so you can generate your own reports?

    Ian

    I just had a look and you can export the report by setting how long you wan the report to show results.