Hi, everyone. I'm trying to export the results of a firewall web usage report that I created on Sophos Central. I need to export to a CSV file, the last 24 hours of events. But, when selecting that timeframe, the resulting file doesn't contain all the events because of the 100k export limit. Based on my testing, I'd need to create 48, 30 minutes reports, to get all the data. So my question is, is there a way to export more than 100k events? Maybe use the APIs to get the data and send it to another place?
Thanks.
Hi SI,
Thanks for reaching out to the Sophos Community Forum.
The SIEM Integration API can be used for this purpose, however, there is a limit to the number of events you can return per API call. In general, it is best to have this set up with your SIEM system so that queries are run periodically over time to replicate the event data stored in Sophos Central.
The maximum number of items that can be returned per query is 1000.