"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Both Sophos UTM and Sophos UTM Manager can integrate with third-party remote management and monitoring tools (RMMs). This integration allows you to:
This article will specifically focus on the RMMs offered by Kaseya, LabTech, and Level Platforms however the features and methods of integration used are not vendor-specific. Therefore the instructions can also be applied to other vendors’ RMMs, if you are familiar with configuring those tools.
The emphasis of this article is on configuring SNMP traps and queries, email alerts, and Syslog within the UTM, and provide some guidance and links to vendor documentation for the chosen RMMs.
Applies to the following Sophos product(s) and version(s) Sophos UTM Sophos UTM Manager
SNMP can be divided into two categories: traps and queries.
SNMP traps are a very efficient integration tool. Events are sent directly from the UTM to the SNMP trap server. The only requirement is that UTM can communicate directly with the RMM. Events are sent in real-time, so there are no messaging delays, as might happen with email, or polling for status changes. All SNMP trap events are part of a private enterprise OID, so the RMM must be configured to recognize the alerts. This is usually done by importing the UTM’s MIB file into the RMM.
All SNMP traps are prefixed with the Sophos/Astaro IANA issued OID value:
The OID for notification events is:
There are four event type OIDs, based on event priority:
DEBUG = 0
INFO = 1
WARN = 2
CRIT = 3
Following the event type, the specific trap OID is given. For example, when a UTM is restarted, the trap INFO-000 is sent. The full OID of this event is:
A list of available UTM SNMP traps is given in the appendix section of this article under 'Available SNMP Traps', and may also be found and configured in the UTM WebAdmin under 'Management' | 'Notifications' | 'Notifications' tab.
Specifying an SNMP trap server on UTM is referred to as an SNMP trap sink. Multiple SNMP trap sinks may be configured in the UTM WebAdmin under 'Management' | 'SNMP' | 'Traps' tab.
When creating or editing an SNMP trap sink, you can specify the SNMP version, the target host address and the community name. SNMP traps will be sent to default SNMP port that the manager is listening on (i.e., 162).
SNMP queries allow the RMM to periodically query the status of one or more parameters on the UTM. For instance, querying OID 126.96.36.199.4.1.2021.10.1.3.1 will return the current CPU load average over the last minute. A list of common SNMP OIDs that are available on UTM, are provided in the appendix section of this article under 'Useful SNMP Query OIDs'.
SNMP Queries may be configured with the WebAdmin under 'Management' | 'SNMP' | 'Query' tab.
Queries are read-only and SNMP utilities are not permitted to write configuration back to the UTM. Access to the SNMP service should be restricted to only trusted hosts or networks. The UTM supports both SNMPv2c and SNMPv3 protocols. If authenticated access is necessary the SNMPv3 protocol should be selected. The device information section provides the device data that is offered via SNMP.
All alerts which can be sent via SNMP traps can also be sent via email. This is often useful for directly alerting admins to system events, but some RMMs allow monitoring of an email account, and generating tickets or alerts on incoming messages.
Incoming email alerts will contain the alert value (for further details see the appendix section of this article under 'Available SNMP Alerts') as well as a description of the alert, additional information such as system uptime, and any device-specific text, which has been configured on the UTM. It is useful to configure the 'Device Specific Text' field of the WebAdmin under 'Management' | 'Notifications' | 'Global' tab. This allows the source of the alert to be more easily distinguished.
When alert messages are sent, the subject will begin with the UTM's hostname, followed by the alert ID, and finally the alert message. It will look similar to this example:
[myUTMsHostname][INFO-000] System was restarted
The body of the message will contain information about the system load, uptime, and other details, which may be relevant to a problem report, similar to this example:
System was restarted Reason: (unknown) -- HA Status : CLUSTER WORKER (node id: 3) System Uptime : 0 days 0 hours 0 minutes System Load : 0.63 System Version : Sophos UTM 9.100-8 Please refer to the manual for detailed instructions.
Email notifications are partially configured by the UTM during initial setup. When an administrator's email address is requested on first login, this address is used as the first recipient for all notifications.
As long as the UTM is able to successfully send SMTP messages, then there may be no further configuration necessary however it may be necessary to specify different recipients, or specify the SMTP server and credentials to use when delivering messages. The recipients list may be configured in the WebAdmin under 'Management' | 'Notifications' | 'Global' tab.
Additional recipients may be added to the list, or existing recipients may be removed from the list on this screen. SMTP delivery options may be configured under 'Management' | 'Notifications' | 'Advanced' tab.
Note: If the UTM cannot find and use the correct SMTP server using DNS, then it may be necessary to specify the server explicitly on this screen. Options such as alternative ports, TLS, or authentication may also be enabled here, if required.
Both SNMP traps, and email alerts use the same list of notifications. Alerts may be individually enabled, or disabled for either SNMP or email. This configuration may be found in the WebAdmin under 'Management' | 'Notifications' | 'Notifications' tab.
Each notification is listed individually, within a number of notification groups. Each notification may be selectively enabled or disabled, per delivery method (email or SNMP) or the entire group may be similarly enabled or disabled at once.
Syslog messages are the most verbose source of information offered by UTM.
The vast majority of syslog messages are not suitable for alerting, however syslog messages are sent with a priority value, allowing only those of significant priority to generate alerts. Syslog priority values are as follows:
In most cases syslog messages with a severity of 'Warning' and above will be duplicated via SNMP. However, Syslog does allow detection of organization-specific concerns. For instance, a filter could be created to match whenever a specific user or IP accesses a specific web domain, or an alert could be generated whenever a user connects via VPN. This type of data may not normally represent an event significant enough to alert on, but perhaps it is important to know immediately, if an employee suspected of improper activity performs a specific task. This type of alert and other non-standard alerts may be possible using data from syslog data.
Syslog settings are configured in the WebAdmin under 'Logging & Reporting' | 'Log Settings' | 'Remote Syslog Server' tab.
On this tab multiple target syslog servers may be added, and logs may be sent to any TCP or UDP port (though most systems will default to UDP port 514).
If syslog messages cannot be delivered, they will be buffered, and re-send when possible. By default, up to 1000 logs will be buffered. This feature is most reliable when using TCP, as it will detect when sending fails more accurately. When using UDP a failure will only be detected if the target IP is online, and able to respond with an ICMP (Internet Control Message Protocol) service unavailable message.
Once Syslog targets have been configured the logs to send via syslog must also be selected on the same screen. By default, none are selected. Select the desired logs, and click 'Apply'.
To determine which logs are desired, you can view complete log contents and watch logs in real-time, under 'Logging & Reporting' | 'View Log Files'.
Different RMMs offer different capabilities. The following table outlines what can be expected with each vendor’s tools.
*Kaseya’s RMM offers a log parser, which is not a syslog collector. A separate syslog server would be required, to accept and write logs to disk for monitoring by the log parser. Alternately, Kaseya also offers a separate syslog monitor product, which can be configured to alert via email. This could be used to feed syslog alerts to Kaseya’s email reader. **LabTech’s ticket portal may be configured to create tickets directly from emails Using this feature, alerts may directly create trouble tickets linked to customer accounts, provided that each UTM is configured with a unique 'Sender' email address as set under 'Management' | 'Notifications' | 'Global' tab.
RMM vendors typically offer multiple versions of their products, both as on-premise, and cloud hosted. Additionally, some RMMs may offer a free version of their product, which cannot perform some or all of the functions outlined above. With this in mind, the links below may not fully apply to the RMM being used in each case, despite having a similar name.
In the event that these links do not prove useful, it may be necessary to consult your RMM vendor for updated instructions.
A list of several useful query-able UTM SNMP OIDs is included in the 'Useful SNMP Query OIDs' section of the appendix document below.
Check the Kaseya website http://help.kaseya.com/ for items such as:
Note: Level Platforms knowledgebase may not be accessible without a valid site login.
The appendix information is available from the link below as a PDF document.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.