We'd love to hear about it! Click here to go to the product suggestion community
Sophos UTM 9, I am forwarding logs via syslog to ELK, the problem I have is that Application Control logs are only being forwarded one way (internal > external) but not the other way around.
This becomes very clear when I create some charts to calculate the total bandwidth consumed by each application using the "length" field and so the totals are not relevant by any means.
Under the Web Protection, It's reflected accurately though so I am not sure what the source of the problem here is.
Already have an Application Control rule at the bottom to "Allow all and log".
I already checked the "Application Control" under syslog so that's not the issue.
With "Application Control" it's the same as "firewall Packet filter" ... you see, controll (and log) the initial packets only.
It's not usable to calculate the total amount of data.
In reply to dirkkotte:
Thanks Dirk for your response, to me this is a bit of a surprise because with the Web Filter, I am able to use the "size" field to calculate accurately the bandwidth usage of each domain/web app.
There is no way whatsoever to do it in Application Control it seems...
Hala Mohamed and welcome to the UTM Community!
I don't know how to do it with ELK, but you can get application volumes using the 'Bandwidth Usage' tab in 'Logging & Reporting >> Network Usage'.
Cheers - Bob
In reply to BAlfson:
Hala Bob, the expert and top contributor :)
Thank you, I'm aware of that but the main reason why I wanted to do it via ELK is because I setup some alerts when bandwidth usage exceeds a certain threshold for specific apps or specific IPs which is working very fine with httpproxy.
Other apps that are not httpproxy do not trigger any alerts.