Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Export Firewall-Log

Hi,


since a few days we have an new Sophos XGS2300 installed and had created some firewall-rules to log the traffic passing the firewall. They are currently set to allow the traffic but the goal is to find the wanted traffic and block the other.

Now the Log Viewer from the Web-UI is pretty slow and not to comfortable to set filters or even get a longer timeframe (some days). Thus I would like to export the log-file and sort it out with Excel. At UTM-Firewalls I had no issues loading the packetfilter.log via Web-UI but on the XGS I don't find thouse files. Is the corresponding file hidden somewhere as I cannot even find specifig source or destination IPs within the /log/*.log-files.

Could anyone lead me to where to look for the correct files?

Regards
Norbert



This thread was automatically locked due to age.
  • Hello  ,

    Thanks for reaching out to Sophos Community.

    You can get the logs in SF as outlined on this KBA: https://support.sophos.com/support/s/article/KB-000041274?language=en_US

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi,

    thank you. But as I mentioned I already searched within the whole /log/-directory. Not sure if the file not in the /log/ but anywhere else or the entries are not in clear-text and I cannot find them for that reason.

    Regards

  • SFOS does not use a packetfilter.log as the conntrack collects more data. 

    You could look into Central as it uses the Logviewer as an external Syslog. 

    __________________________________________________________________________________________________________________

  • Thanks, in Central it look like what I try to archive while it just gives me 100 entries per page and is much less flexible and slower than when I could just handle the raw data.

    Somehow conntrack also must store the collected data locally on the firewall mustn't it?

  • No, this was never implemented. What is your use case, what do you want to do? 
    Customers doing that, have a syslog server in place and do there cross collection.

    Your initial post is about traffic blocking: Just to make sure: Nowadays you will find most traffic / apps using Port443 - So blocking traffic based on port is likely not usable anymore - You could block it based on the port, but the most apps will do a fallback to encrypted 443. Did you check on the block firewall rules on the UTM and adapt your system? 
    And what do you want to block and what not?  

    __________________________________________________________________________________________________________________

  • We have some UTMs that seperate our client-network from several production- and server-networks.

    On a new built site we now have the same - seperation between the clients to some production- and server-networks but via an XGS. As there a several applications and the mechanics of our suppliers are not deep in the network we do not always get detailed information which devices need connections on which ports. While at the same time the management makes pressure that our site does not delay the going live.

    So when creating a new network we make a rule for all traffic from the new net with enabled logging and one to the net for all traffic with logging and during the implementation we filter what traffic is fetched by them to create the true rules. In the end we set the rules to blocking and all is good.

    It is just pretty much in there and sometimes it is useful to cross-check a week of connections. It can be done with the log-viewer but having all exported and handled with an external tool was much more comfortable and also easier to discuss with the engeneering-teams.

  • So in general, this sounds like a report topic, not a logging situation. But you could do it with a syslog server, if your need requires this. 

    __________________________________________________________________________________________________________________

  • I will give it a try if I can get what I need by the reports and/or to install a syslog server.

    But still I am wondering where the firewall stores the data that is shown in the Log viewer...

  • The difference is: Logviewer is a database. UTM uses a live log based on the .log files. 
    Logviewer can filter and resolves difference problems at the same time. 
    Therefore: /log is completely separated by the logviewer. Logviewer is a database filled by the system itself and not by the data in /log. 

    __________________________________________________________________________________________________________________

  • Ah ok, now it makes sense to me that I cannot get the file. I assume the database-scheme and a (read-only) user is nothing Sophos makes public available?