Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 801 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall logs

Paul Simcox

Hello,

I'm having difficulty trying to understand how you obtain detailed firewall logs. I've read many articles and even contacted support and it appears what I'm asking for is impossible which I find difficult to believe.

So my situation.

We believe we had a breach a few days back and wanted to view the firewall logs in order to see traffic coming into the Sophos XG and where it came from and to which internal system. Pretty straightforward I assumed. We have the option ticked for Log Firewall Traffic but unable to find where this log data is stored.  The logs within /log do not hold the information according to Sophos Support and suggested I use the Gui Log Viewer. When I go there I see entries but when I click export it only gives me 5 mins of data even though I set the filter to all time.

I'm obviously missing something.  I can't believe a security appliance like the XG doesnt have this readily available.

Any and all help appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    XG stores two (three) different kind of Logs. 

    One is the Log viewer database. It is some sort of Syslog Database (not logfile), which gets generated and viewable for the administrator. You can sort and filter in the Log viewer with plain text filter option. For example, you could simply put the Date of the breach into the Log viewer, it will sum up all events with this date readable for you. 

     

    Another database is the Reporting database. This will be generated in the Report section of XG Firewall. It is an own Section of reporting and has another database. You can sort for date etc. 

    https://community.sophos.com/kb/en-us/123214

     

     

    Another Database would be Central Reporting (Free Version for 7 Days). 

    https://www.sophos.com/en-us/products/next-gen-firewall/central-reporting.aspx

    There you have all sorts of Reports and filter queries available. 

     

    You could additionally work with a SIEM Solution and post all Log data to a SIEM. 

     

     

    XG Stores some Logs in the /log/ partition. 

    https://community.sophos.com/kb/en-us/123185

    https://community.sophos.com/kb/en-us/132211

     

     

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the info. I'll take a look.

    Question.  Is there anyway to get csv file of the entire database entries? I'd like to download and export the log data so that I can view outside of Sophos XG and within Excel for example.

  • 0 in reply to Paul Simcox

    Hi

    while waiting for a detailed answer why not try the CM/CFR free version that will give you visibility for 7 days of data. The information is more detailed than XG reports and there is still plenty of room for Sophos to improve this with feedback from real users.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Paul Simcox

    Hi

    while waiting for a detailed answer why not try the CM/CFR free version that will give you visibility for 7 days of data. The information is more detailed than XG reports and there is still plenty of room for Sophos to improve this with feedback from real users.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
Cookie Information Banner