Logs

I've been a Sophos customer for years.  Good, bad, and the ugly, i've always felt Sophos was top notch.  

But lately, i stay more annoyed for 1 reason.  LOGS.  It's ridiculous that i can't see everything that Sophos AV and its products are doing.  Now, you're pushing EDR / MDR solutions and the whole time I'm thinking, how can Sophos watch over my network when i can't even see what i need to see through logs????

Seriously, what is the one thing I will have to have in a threat response scenario????  LOGS LOGS LOGS.  The logs i have are crap!  You block apps and i can't see what is blocked, period.  Even on the home version, that i can give my end users, logs are nonexistent.  Apps are blocked and until you make an exception you have no clue that Sophos or one of its products are blocking it.  

You offer web filtering, but i can't even provide logs to my department heads in regard to end users web browsing history.  

With the money i have paid, and the money i have made for you through word of mouth (and yes, a good friend is a reseller and pushes your product regularly thanks to me) the least we should expect are good logs. 

You have a good product!  We need to know what it's doing and why it's doing it.  That's not too much to ask.

Parents
  • Hi hitechgreg,

    Thanks for reaching out to us. Apologies for the frustrations you've experienced in getting access to the information you need, I'd like to help.

    A great example of the data that can be pulled from XDR is mentioned in the following query. You can find many others that go into more detail in our Live Discover & Response Query Forum. Those published by Karl Ackerman have quite a wealth of information in regards to threat hunting.
    - Device Activity (Multiple queries in one)

    Let me know if you can elaborate or provide an example on this comment:

    You block apps and i can't see what is blocked, period.


    If you have the Next Gen agent installed already, the logs in "SophosNetFilter.txt" will contain information on each website your endusers have accessed.
    - C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.txt

    If you are looking for full logging of network activity that is remotely accessible, an XG device may be more effective as Web Control will only report back on the sites that are blocked or those that generate warnings. It is also possible to use Live Discover to export the logs you need to a file share if a network firewall may not be ideal.

    Let me know if there are any other points you'd like to get more information on and I'll help you find solutions as best I can. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi hitechgreg,

    Thanks for reaching out to us. Apologies for the frustrations you've experienced in getting access to the information you need, I'd like to help.

    A great example of the data that can be pulled from XDR is mentioned in the following query. You can find many others that go into more detail in our Live Discover & Response Query Forum. Those published by Karl Ackerman have quite a wealth of information in regards to threat hunting.
    - Device Activity (Multiple queries in one)

    Let me know if you can elaborate or provide an example on this comment:

    You block apps and i can't see what is blocked, period.


    If you have the Next Gen agent installed already, the logs in "SophosNetFilter.txt" will contain information on each website your endusers have accessed.
    - C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.txt

    If you are looking for full logging of network activity that is remotely accessible, an XG device may be more effective as Web Control will only report back on the sites that are blocked or those that generate warnings. It is also possible to use Live Discover to export the logs you need to a file share if a network firewall may not be ideal.

    Let me know if there are any other points you'd like to get more information on and I'll help you find solutions as best I can. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Thanks Qoosh, I sincerely appreciate your response.  

    Central is a place where i should be able to see everything that's happening as well as back track on the data/logs to review issues.  My mindset with the Central product is 1 place to access information and settings in one place, not only for endpoints, but for servers, firewalls, and other offerings from Sophos. Its a great place to be able to do a lot quickly.  Unfortunately, again, we go back to the logging aspect.  If Central was developed to be a one stop shop, then why wouldn't it be?  (maybe i think differently than the developers intended)  Why do i have to dig through my end users programdata txt files to find the information that should be available?  Also, you don't have access to that folder.  Kind of like Microsoft's apps folder.   Access DENIED Slight smile    I miss the old Web Appliance where i could easily retrieve an end users web history.  Or quickly find who's visiting adult sites.  Now the only data i get is, X amount of hits to adult sites but no clue who it was.  

    As for apps being blocked, we've had to make allowances for scanning applications. We utilize Epson Scanners to scan personnel files and other confidential info that Sophos has ended up blocking.  Applications that we use on a daily basis from vendors.  These aren't popular programs like Adobe granted. Programs like KACE, ArcGIS, and Digitech Systems, we've had to make exceptions for.  I've had to turn off Sophos temporarily to stop it from blocking a Crystal Report i was running.  As long as Sophos was running, the report would crash and close.   All of these create no log inside of Central.  There is no pop up saying the application was blocked.  That'd be even better to know quickly what's going on.  At the very least, have logs in Central that tell me it was blocked and why.  

    I just personally think this is supposed to be a security program, there should be logs. 

    As for XG firewalls, we have a few in play, that and SGs.  It still doesn't give me the whole picture that central could (if they wanted to) on what the end user is doing with company equipment at home. 

  • You can use the following command-line with the Tamper protection passcode to allow access to the directory.
    C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe -OverrideTPoff <passcode>

    Using the pre-built "Policy Violators" report is a good starting place to see which users have generated the most blocks. If you are looking for more detailed reports, I'd suggest using the "Events Report". 
    - Open Logs & Reports > Events
    - In the "Search" box on the top left filter based on user or device
    - Using the "Checked items" box specify only "Web Control"
    - Click the "Update" button on the top right to apply your filters

    Another way you can get to this information relevant to a specific device is by going to the "Events" tab of the device in Sophos Central, then selecting "View Events Report".

    Exporting the full "Events" directly from the "Logs and Reports" section with only "Web Control" selected can also allow you to interact with the data in excel to get the specific information you're looking for. If you do have suggestions on how the reports can be improved, I'd suggest submitting an idea on the following Feature Request/Ideas page.

    If you were looking for something more similar to a Web Appliance, utilizing an XG Firewall with STAS authentication will generate similar information that a can be searched through. If your endusers are working from home this may pose a problem unless all users are required to VPN into the corporate network and all traffic is routed through the VPN, which may not be ideal.

    For the application issues you've encountered, this typically has to do with Sophos adding an extra hop that the data needs to traverse before reaching the application. If Sophos were to have detected an operation as malicious, you will see an alert generated. Most vendors will have documentation on suggested exclusions to add to Antivirus applications for the best performance, which may help to avoid this.

    Hopefully some of this information helps. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • "As long as Sophos was running, the report would crash and close"

    That doesn't seem like normal behaviour and a bug in one application or another.  It doesn't sound like something is "officially" being blocked here so I'm not surprised if there isn't a log entry.

    There was this recent issue: A problem occurred when our devices received the latest update - Discussions - Intercept X Endpoint - Sophos Community. This caused Access 2003 a problem and would close.  I just wonder if Access 2003 was the data source behind the Crystal Reports UI.