I keep hearing about the Central Reporting and how all the detailed logging is available through it, which has plenty of data points and filters.
We are subscribed to Xstream Protection, which includes Central Orchestration, which includes 30 days of logs. Never had to go deep for analysis.
A few days ago I was tasked to track a user. So I went to Sophos Central Reporting to pull the data.
Immediately it looked weird. So I opened Log Viewer on the firewall and started comparing. Central has nothing even close to the data available through the Log Viewer.
I pulled the VPN log file from the firewall to trace connection times and compared with the Central Reporting. Absolute inconsistencies, missing data.
Here's one example for Rule ID=1 DROP ALL and LOG. I am not going to post many other inconsistencies with VPN and FW Rules because there are too many.
DST PORT 3389 is being blocked:
Applied Filter DST Port 3389:
Changed filters to Rule ID = 1
Has anyone experienced the same thing? Can you check on your end? I can't trust the Central Reporting and it's a serious Security matter, that might put user's employment under question.
Before anyone suggests a syslog server, I don't recall Sophos reps mentioning that Xstream License that included 30-day logging and granular Central Reporting was in fact waste of money, and I should be going with the Standard license instead.
This thread was automatically locked due to age.
