Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 41 subscribers
  • Views 4136 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall logs - where?

m@x

Log Viewer > Firewall goes back by 10 days or so. I need to retrieve Firewall logs for a period of 2 weeks starting 20 days ago.

I've learned that XG(S) do not store log files for Firewall rules.

From other posts I've also learned that I should use Sophos Firewall Manager to retrieve this data.

From other articles I've also learned that SFM has been discontinued and the functionality migrated to Sophos Central.

With that said, I am looking for guidance on how to use Central to retrieve the firewall logs as they appear in the Log Viewer.

I don't need the aggregate report. I need to see the user, the SRCIP, DSTIP, SRCPORT, DSTPOST etc etc and filter by the user and the DSTPORT.

This is all I could find and the results are worthless:



This thread was automatically locked due to age.
  • 0

    Hi,

    the CM will only start collecting logs after you have setup an account. It will have the history for which you have set the retention periods on the XG.

    The logs presented by CM are more detailed than offered by XG log viewer.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    The data retention period in Central varies, without the Advanced Firewall Reporting license it'll likely only be 7 days (if you have Central Orchestration that is stretched up to 30 days). You can add columns to the view - you aren't restricted by the ones shown in the default templates. The column button is next to the "Hits" column heading on your picture (the small rectangle).

  • 0 in reply to carbon15

    Licensed subscriptions: Xstream Protection bundle + Web Server Protection.

    This includes Central Orchestration.

    The problem is that I am not seeing any entries. Just the aggregate report (see img above right where it says: Total 3079 hits). I don't think that adding columns will show me each of those those 3079 entries. Unless I am missing something.

  • 0 in reply to rfcat_vk
    Hi,
    I've upgraded from XG to XGS and registered immediately about 3 months ago. We manage a lot of customers and Sophos Products via out Partner Portal and have them all registered in Sophos Central. But I never had a situation where I needed something older than 10 days of logs.
    Sophos Central registration
    Device status: Registered
    Serial number: X13109--------2
    Registration date: April 02, 2023
     
    You mentioned that The logs presented by CM are more detailed than offered by XG log viewer.
    Can you point me to the right direction on how to acquire this info? I want to see exactly the same output that Log Viewer > Firewall logs shows, but  for a period older than 7-9 days. Specifically -17 days. I also want to be able to filter by DSTPORT and Username.
  • 0 in reply to m@x

    Hello there,

    As Carbon15 mentioned, unless you have an Advanced Firewall Reporting license, you will only get 7 days of Free reporting.

    In your central click on the arrow on the Top Right > Licensing > and search for Central Firewall Reporting.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello,

    As I mentioned above, we bought the Xstream Protection Bundle, which is supposed to include Central Orchestration features like 30-day CFR and CFR Advanced. Am I missing something?

    Also, even if we set aside for a moment the data retention question (7days vs 30 days), I still do not see in Central where CFR produces the "more detailed" logs, even for the last 7 days.

    Is there a resource that demonstrates how to pull those detailed logs in Central? I cannot find anything remotely close to the local Log Viewer on the Firewall.

  • 0 in reply to emmosophos

    Also, despite the fact that our Firewall is registered to the same Central account, I went into the Licenses as you suggested and I can see only the Endpoint Licenses listed. No Xstream bundle in there.

    On the firewall itself:

  • 0

    Looks like the Central reporting is absolutely broken. The generated reports aren't corresponding to other data logs.

    Log Viewer. Plenty of logs for Rule ID #1 DST Port = 3389

    Central Reporting:

  • 0 in reply to m@x

    Hi max, 

    Upon checking, you've posted another thread concerning the Central Reporting,

    For better visibility to everyone. Kindly refer to the following Thread:

     Central Reporting - is it really working? 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hi Erick,

    I've opened a new thread because the issue seems to be beyond the original subject of locating the firewall logs. I was able to locate the "Log Viewer" template, but the generated output does not correspond to the logs I am seeing on the firewall locally.

    Thanks for providing the link to the new thread.

Unfiltered HTML