This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are the changes that I make logged?

An auditor asked me to show UTM logs. I made a change to the ruleset (specifically, disallowed extremist sites) but cannot find evidence in the logs that [user] made this change at [datetime].

Does that exist anywhere in 9.3?

Thanks



This thread was automatically locked due to age.
  • Hi Joe,

    You can monitor the changes made in last 20 sessions. Click on Management tab which will give you the following report. PFA Screenshot:

    Hope that helps.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • You also can look in the confd log files.  I prefer to use grep at the command line instead of using the search function in WebAdmin.  If I want to see all of the changes by [user] in April:

    zgrep '[user]' /var/log/confd/2016/04/* |grep 'change'

    I just added the "Extremist" category to our "Open Web Access" Filter Action.  First, I look at the Filter Action with:

    cc get_object_by_name 'http' 'cff_action' 'Open Web Access'

    In that, I see the last item added was 'REF_hycDbYxmJh'.  To confirm I have the right one:

    cc get_object 'REF_hycDbYxmJh' | grep 'name'

    That returns 'name' => 'Extremistic_Sites', so now I can look for the line in the confd log file.

    grep '[user]' /var/log/confd.log |grep 'REF_hycDbYxmJh'

    I am rewarded with:

    2016:05:05-12:08:39 secure confd[3075]: I main::top-level:677() => id="310a" severity="info" sys="System" sub="confd" name="object changed" class="http" type="cff_action" ref="REF_IiqUeSGrWr" objname="Open Web Access" user="[user]" srcip="10.1.1.64" sid="RhTVHMwvRpgXpjthOztP" facility="webadmin" client="webadmin.plx" pid="28612" oldattr_sp_categories="['REF_HttSpcMalicious','REF_AmbOEIlmFV']" attr_sp_categories="['REF_HttSpcMalicious','REF_AmbOEIlmFV','REF_hycDbYxmJh']"

    Of course, since this just happened, I can get the information as Sachin suggests:

    If I only knew that the restriction was put in place earlier this year, I would use either the search tab in WebAdmin or:

    zgrep 'REF_hycDbYxmJh' /var/log/confd/2016/*/*

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here is a place to start looking:  https://community.sophos.com/products/unified-threat-management/f/52/p/29933/99682#99682

    What do you and your auditor think of each suggestion?