This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pushing logs to AWS Cloudwatch logs

I have Sophos UTM 9, UTM on AWS, version 9.509-3. Deployment Type: Standalone

I am trying to find out how to enable the AWS Cloudwatch Log agent on the UTM device, but I can't find out how. Do you have any hists/articles to read?

I found these topics:

* https://community.sophos.com/products/unified-threat-management/f/utm-on-aws/84339/cloudwatch-logs-not-working however I can't find the "aws-scritpts-mon" dir

loginuser@sophos:/home/login > ls -l
total 0
or with sudo find / -iname "mon-*.pl"

* https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/sophos-utm-9-411-on-aws-release-notes says

Second, we've added all UTM logs to the CloudWatch Logs Agent, which provides an automated way to send log data to CloudWatch Logs.

but I can't understand if this is for the standalone version.

Regards

Vangelis

This thread was automatically locked due to age.

Parents

0 BAlfson over 5 years ago

Geiasou Vangelis and welcome to the UTM Community!

Thanks for your question, I didn't know that this had been added!

One possible issue might be that you configured your instance without an access key. Are those fields completed in 'Definitions & Users >> AWS Profiles'?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Vangelis Katsikaros over 5 years ago in reply to BAlfson
Hi Bob

Thanks for the prompt answer.

I noticed 2 things

Logging & Reporting -> Log Settings -> Cloudwatch, was not enabled at all. I was confused by the plain "Cloudwatch" I was expecting "Cloudwatch Logs". However, it says "All log files accessible via the Logging & Reporting section are uploaded to the Amazon CloudWatch service", so I guess this needs enabling.

As you mention "Definitions & Users -> AWS Profile" has aws keys fields, but I haven't filled them. This also needs filling

So, I followed the instructions in https://community.sophos.com/kb/en-us/127389 However I noticed the following issues:

When I reach in https://community.sophos.com/kb/en-us/127389 "Create the AWS Profile within UTM" -> "Navigate to AWS Management > Outbound Gateway." there is no "Outbound Gateway" page under my "AWS Management" page

This release note https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/sophos-utm-9-506-on-aws-release-notes says "Outbound Gateway" page was added on 9.506 but I am on version 9.509-3 so I would expect to see it

The suggested Cloudformation template refers only to "cloudwatch" actions and not as I expected "logs" actions (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html)

I admit I am a bit confused and I might be missing something basic.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Vangelis Katsikaros

I've barely played with this, Vangelis, so I only know to go one step at a time. When I created a UTM instance, I did not select to create a key pair, but I suspect that you cannot use CloudWatch if you didn't create the key pair when you launched the instance. What happens if you start over doing that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 5 years ago in reply to Vangelis Katsikaros

I've barely played with this, Vangelis, so I only know to go one step at a time. When I created a UTM instance, I did not select to create a key pair, but I suspect that you cannot use CloudWatch if you didn't create the key pair when you launched the instance. What happens if you start over doing that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data