AUDIT LOGS FOR DELETED RECORD

Question

Hi 
 I'm using Sophos XG version SFOS 17.5.5 MR-5 and need to get users accessing the Internet in the past 30 days, however, when I checked in specific days under custom report there are no records found. 
 Please let me know 
 1. how do I get audit for user deleted the logs if any 
 2. How do I track what happens for the missing record 
 3. Will the missing record be recovered 
 Thanks in advance for your support.

Keyur · Answer

Hi Mabule 
 Please make sure that in the firewall rules used for Internet traffic in LAN to WAN or DMZ to WAN or any custom zone to WAN, "Log firewall" option is enabled and you have applied at least "Allow All" Web and application filter policy on the firewall rule to get reports in "Reports". 
 Enable Local Logging Go to Configure > System Services > Log Settings and select the checkbox 
 Log Type (System) to enable local logging. We recommend you enable logging for all modules. 
 How to troubleshoot on-box reporting issues- https://community.sophos.com/kb/en-us/123209 Please refer to the article- https://docs.sophos.com/nsg/sophos-firewall/v17.1.0/PDF/Sophos%20XG%20Firewall%20Reports%20Guide.pdf

Vishal_R · Answer

Hi Mabule 
 XG will preserve historical logs based on below settings defined under XG. 
 Step 2: Check the Log Retention Period under Data Management 
 https://community.sophos.com/kb/en-us/123211 
 Sophos XG Firewall: How to view Web Surfing Reports for a user 
 https://community.sophos.com/kb/en-us/123214 
 However if there is any mis-configuration of rule present where traffic is going from plan rule with no policy and scanning on that rule then also you will not able to see any activity reports. Sophos XG Firewall: How to troubleshoot on-box reporting issues https://community.sophos.com/kb/en-us/123209 You may refer above KBA to verify the reports on appliance and some of the pre-requisite which needed to be set on to generate the report.