XG log to Syslog Parser files

Hello everyone, 

I need some help about the send the firewall logs to a syslog server. Currently noted that the logs sended by Sophos XG on the syslog are stored in a single file named "SFW.LOG", this is a bit unproductive because it not parsed by module or features, (IPS log, Fw log, email log, VPN-SSL log, etc).

 

 

 

I configured some profiles to send the logs to the syslog server from sophos. 5 profiles with different logs to send, but it not works and it's stored in a single file as mentioned:

 

 

I've disabled the options because when it's enabled the single log file increase too much (in 10 min log increase about 3 GB.... )

 

Any ideas how can resolve this?.....

 

Best regards!

  • Siedhart,

    if you are running version 18, XG supports also RFC standard for syslog like Splunk.

    I am not sure if the logs are split into multiple files. I need to perform a test.

  • Hi  

    Have you confirmed if the XG is able to reach your syslog server you have set?

    Is it local to the XG?

    Does it have a route to it?

    You may need to enable SNAT rule for system generated traffic.  Please follow this KBA for the information:  https://community.sophos.com/kb/en-us/122999

    Thanks!

  • In reply to KingChris:

    Hello KingChris, this is not related to a communication problem between sophos and our Syslog server, the case is about why sophos is not sending the logs files separately, is only one file "SFW.LOG" with the entire logging and it increasing suprisingly fast!.

     

    We need a solution about how we can separate the logs by feature, a log for reverseproxy.log, firewall.log, ipsec.log, etc, etc....

     

    Waiting for replys

     

    Best regards!

  • In reply to Enz0h:

    Hi  

    Currently that is the way it works.

    If you would like the file to be shipped separately then you would have to open a feature request here: ideas.sophos.com.

    Thanks!