Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 1728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What do you use to store logs?

twister5800

Hi all,

UTM had a brilliant logging system, but Sophos Firewall do not log many days behind, which is of no use, because we often need to go further back.

Sophos Central logging we also find lacking a lot, ex. dropped packets are not logged (But maybe planned to be).

Have any of you setup an external data source?  Splunk, Datadog, Elastic?

Coould be great to hear your experiences :-)



This thread was automatically locked due to age.
Parents
  • +1

    Yes, in UTM logging you always found what you needed, also if happened long time ago. log search was not fast and it took you some time and not as detailed as XG is but in the end, you had what you wanted.

    Some XG logs are timing out just after some hours or 1-2 days. Not very useful. But livelog is really good.

    Using Splunk.

    Good filtering. If you want to store and search logs of long periods, you need some space.

    on the left bar: interesting fields

    you can filter for all those categories:

    Interesting Fields

        # app_is_cloud 1
        # appfilter_policy_id 1
        a application 1
        a application_category 1
        # application_risk 1
        a application_technology 1
        a appresolvedby 1
        a bridge_display_name 1
        a bridge_name 1
        a connid 1
        a date 1
        a device 1
        a device_id 1
        a device_name 1
        a dir_disp 1
        a dst_country_code 1
        a dst_ip 1
        # dst_port 1
        a dstzone 1
        a dstzonetype 1
        # duration 1
        a ether_type 1
        a eventtype 1
        # flags 1
        # fw_rule_id 1
        a fw_rule_name 1
        a fw_rule_section 1
        # gw_id_reply 1
        # gw_id_request 1
        a gw_name_reply 1
        a gw_name_request 1
        a hb_health 1
        a host 1
        # iap 1
        a in_display_interface 1
        a in_interface 1
        a index 1
        # ips_policy_id 1
        # linecount 1
        a log_component 1
        # log_id 1
        # log_occurrence 1
        a log_subtype 1
        a log_type 1
        a message 1
        # nat_rule_id 1
        a nat_rule_name 1
        a out_display_interface 1
        a out_interface 1
        # policy_type 1
        a priority 1
        a protocol 1
        a punct 1
        # recv_bytes 1
        # recv_pkts 1
        # sdwan_profile_id_reply 1
        # sdwan_profile_id_request 1
        a sdwan_profile_name_reply 1
        a sdwan_profile_name_request 1
        # sdwan_route_id_reply 1
        # sdwan_route_id_request 1
        a sdwan_route_name_reply 1
        a sdwan_route_name_request 1
        # sent_bytes 1
        # sent_pkts 1
        a splunk_server 1
        a splunk_server_group 5
        a src_country_code 1
        a src_ip 1
        a src_mac 1
        # src_port 6
        a srczone 1
        a srczonetype 1
        a status 1
        a time 28
        a timestamp 1
        a timezone 1
        # tran_dst_port 1
        # tran_src_port 1
        a user_gp 1
        a user_name 1
        a vconnid 1
        a vlan_id 1

  • 0 in reply to LHerzog

    Thanks for this :-)

    May I ask: What version of Splunk do you use? - price model?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Reply Children
Unfiltered HTML