Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 2391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log Viewer history

djb-sophos

Log Viewer --> Authentication. I went to search for a user to find out when the last time they connected to the VPN. When I enter the username, nothing comes up. I enter my username, and I do see about 4 entries only. It seems I only have logs for about the last 24 hours. Upon reading this article, I don't find much information about log retention other than when disk space starts filling up, it deletes logs in 50 MB chunks. So I'm guessing this person hasn't connected to the VPN in a few days, logs filled up, and there is no record of this user connecting to the VPN. 

How can I set it up to either store more logs, or output to an external source so we actually have log history of.... the past?



This thread was automatically locked due to age.
  • +1

    You can have things logged in Sophos Central. Then login to Sophos Central and go to Firewall Management > Report Generator and do a search with Log Subtype = Authentication. Set the columns with the icon in the upper right with the box and plus, to include Component User, etc. Set the query range for whatever Sophos Central can save -- I can only see 30 days but I think you can pay a fee to get a longer storage period. (The advantage of Sophos Central is that I think you get 30 days even if it's a LOT of data, rather than being limited at a storage capacity.)

  • 0 in reply to Wayne Folta

    Hi folks,

    CM is 7 days storage on the free account.

    Ian

  • 0

    Logviewer follows a different approach. Its database based. It is lacking certain abilities, which are already addressed to be fixed in the future.

    For example, you cannot see how long the data is "there". On bigger appliances, it could be potentially only days / hours. 

    You cannot jump to a certain "point of time" either. 

    But Logviewer is something to "live debug" and not to "investigate later". What i mean by that, there are differences between logging and reporting. Reporting is something to answer "Who logged in the most in the last month?". Logging is something "Who is logged in now?". 

  • 0 in reply to rfcat_vk

    xStream Protection is giving customers Central Orchestration as a subscription. Central Orchestration gives you 30 days. Therefore customers likely have 30 days anyway. 

  • 0

    Thanks everyone. I haven't registered my Sophos firewall to Sophos Central yet. Is it as simple as this video?: https://vimeo.com/330012130 When I do this, no settings will change on my XG firewall, correct? Just being extra cautious.