Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 7907 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

All log files description/documentation?

G DIGREGO

Firmware version: 9.510-5
Pattern version: 152614

Hello,

I'm looking for the complete description of the various log files that exists in Sophos UTM 9.5.

I mean the exhaustive list of fields in each logs (https://community.sophos.com/kb/en-us/126825), the possible values of these fields, and the meaning of these fields/values...

I've done some researches already on this community site and only found this KB for the HTTP log file (of version 9.4 which seems to have changed a bit in 9.5) --> https://community.sophos.com/kb/en-us/126660

 

Any ideas where I could find this information for all other files?

 

Thank you and best regards. 



This thread was automatically locked due to age.
Parents
  • 0

    There is no such document, and it probably cannot be written.   

    Some files are consistently structured, but others have a mixture of Sophos-standard data and unstructured output from the underlying software layer.   

    Some logs have so little content and so little structure that a visual review is sufficient.    For example, there is a log for the config daemon that I give no attention at all.

    The webfilter file is consistent, with one entry for each web request, except for the occasional URID entry which seems to be from something related to DNS, but not important.   Webfilter has occasional continuation lines that need to be merged.

    The WAF log was extraordinarily difficult to parse, because it mixes Sophos and OWASP entries, which have very different formats.  Continuation lines are common, making things even harder.

    Most logs have one entry per event, but the SMTP log has a record of all of the chatter from SMTP proxy.   As a result, I had to combine multiple entries to identify the whole flow from beginning to end.

    I have email notification enabled, so I find out about login failures that trigger breakin evasion without needing to parse the log files.

    PCI DSS and other standards require system administrators to know and act on whatever data is available in log files.   The only way I could do this was to build tools to parse the logs into SQL data tables.   In the process, I learned what was in the files.   I wrote up a description of my parsing technique, including all of the working code for the easiest tables.   It appears in a post at the top of the Management And Reporting section.   

    The complicated files are not included to avoid making things overwhelming, and because I was still refining some of it.  I'll provide code for the other files on request, but have had very few requests (two so far).   So I guess Sophos is correct in assuming that most system administrators have minimal interest in log analysis.

    Others have asked questions for sample code to load the logs into their SIEM, but I have not seen anyone post success stories for those requests.

Reply
  • 0

    There is no such document, and it probably cannot be written.   

    Some files are consistently structured, but others have a mixture of Sophos-standard data and unstructured output from the underlying software layer.   

    Some logs have so little content and so little structure that a visual review is sufficient.    For example, there is a log for the config daemon that I give no attention at all.

    The webfilter file is consistent, with one entry for each web request, except for the occasional URID entry which seems to be from something related to DNS, but not important.   Webfilter has occasional continuation lines that need to be merged.

    The WAF log was extraordinarily difficult to parse, because it mixes Sophos and OWASP entries, which have very different formats.  Continuation lines are common, making things even harder.

    Most logs have one entry per event, but the SMTP log has a record of all of the chatter from SMTP proxy.   As a result, I had to combine multiple entries to identify the whole flow from beginning to end.

    I have email notification enabled, so I find out about login failures that trigger breakin evasion without needing to parse the log files.

    PCI DSS and other standards require system administrators to know and act on whatever data is available in log files.   The only way I could do this was to build tools to parse the logs into SQL data tables.   In the process, I learned what was in the files.   I wrote up a description of my parsing technique, including all of the working code for the easiest tables.   It appears in a post at the top of the Management And Reporting section.   

    The complicated files are not included to avoid making things overwhelming, and because I was still refining some of it.  I'll provide code for the other files on request, but have had very few requests (two so far).   So I guess Sophos is correct in assuming that most system administrators have minimal interest in log analysis.

    Others have asked questions for sample code to load the logs into their SIEM, but I have not seen anyone post success stories for those requests.

Children
No Data
Unfiltered HTML