Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall logs - where?

Log Viewer > Firewall goes back by 10 days or so. I need to retrieve Firewall logs for a period of 2 weeks starting 20 days ago.

I've learned that XG(S) do not store log files for Firewall rules.

From other posts I've also learned that I should use Sophos Firewall Manager to retrieve this data.

From other articles I've also learned that SFM has been discontinued and the functionality migrated to Sophos Central.

With that said, I am looking for guidance on how to use Central to retrieve the firewall logs as they appear in the Log Viewer.

I don't need the aggregate report. I need to see the user, the SRCIP, DSTIP, SRCPORT, DSTPOST etc etc and filter by the user and the DSTPORT.

This is all I could find and the results are worthless:



This thread was automatically locked due to age.
Parents
  • The data retention period in Central varies, without the Advanced Firewall Reporting license it'll likely only be 7 days (if you have Central Orchestration that is stretched up to 30 days). You can add columns to the view - you aren't restricted by the ones shown in the default templates. The column button is next to the "Hits" column heading on your picture (the small rectangle).

  • Licensed subscriptions: Xstream Protection bundle + Web Server Protection.

    This includes Central Orchestration.

    The problem is that I am not seeing any entries. Just the aggregate report (see img above right where it says: Total 3079 hits). I don't think that adding columns will show me each of those those 3079 entries. Unless I am missing something.

Reply
  • Licensed subscriptions: Xstream Protection bundle + Web Server Protection.

    This includes Central Orchestration.

    The problem is that I am not seeing any entries. Just the aggregate report (see img above right where it says: Total 3079 hits). I don't think that adding columns will show me each of those those 3079 entries. Unless I am missing something.

Children
  • Hello there,

    As Carbon15 mentioned, unless you have an Advanced Firewall Reporting license, you will only get 7 days of Free reporting.

    In your central click on the arrow on the Top Right > Licensing > and search for Central Firewall Reporting.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello,

    As I mentioned above, we bought the Xstream Protection Bundle, which is supposed to include Central Orchestration features like 30-day CFR and CFR Advanced. Am I missing something?

    Also, even if we set aside for a moment the data retention question (7days vs 30 days), I still do not see in Central where CFR produces the "more detailed" logs, even for the last 7 days.

    Is there a resource that demonstrates how to pull those detailed logs in Central? I cannot find anything remotely close to the local Log Viewer on the Firewall.

  • Also, despite the fact that our Firewall is registered to the same Central account, I went into the Licenses as you suggested and I can see only the Endpoint Licenses listed. No Xstream bundle in there.

    On the firewall itself: