Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central Reporting - is it really working?

I keep hearing about the Central Reporting and how all the detailed logging is available through it, which has plenty of data points and filters.

We are subscribed to Xstream Protection, which includes Central Orchestration, which includes 30 days of logs. Never had to go deep for analysis.

A few days ago I was tasked to track a user. So I went to Sophos Central Reporting to pull the data.

Immediately it looked weird. So I opened Log Viewer on the firewall and started comparing. Central has nothing even close to the data available through the Log Viewer.

I pulled the VPN log file from the firewall to trace connection times and compared with the Central Reporting. Absolute inconsistencies, missing data.

Here's one example for Rule ID=1 DROP ALL and LOG. I am not going to post many other inconsistencies with VPN and FW Rules because there are too many.

DST PORT 3389 is being blocked:

Applied Filter DST Port 3389:

Changed filters to Rule ID = 1

Has anyone experienced the same thing? Can you check on your end? I can't trust the Central Reporting and it's a serious Security matter, that might put user's employment under question.

Before anyone suggests a syslog server, I don't recall Sophos reps mentioning that Xstream License that included 30-day logging and granular Central Reporting was in fact waste of money, and I should be going with the Standard license instead.



This thread was automatically locked due to age.
Parents Reply Children
  • file number rate had hit 7200 in past

    what do you mean here exactly and how to check?

    we're now at

    XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# date
    Fri Jun 30 13:17:11 CEST 2023
    XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# ls -al /var/.centralreporting/
    drwxr-xr-x    3 root     0            20480 Jun 30 13:16 .
    drwxr-xr-x   43 root     0             4096 Jun 30 11:34 ..
    -rwx------    1 root     0           425984 Jun 30 13:17 2084.gz
    -rwx------    1 root     0               30 Jun 30 13:15 lockfile
    drwxr-xr-x    2 root     0            36864 Jun 23 11:14 rotate

    So I guess, 19 files in ~2:30 hours


  • Hot Fix version:                3
    Hotfix tag:                     HF050823.1