This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to capture the exception list name in the logs?

While looking through Web Filtering logs in our UTM it provides a lot of information but does not appear to list the name of the exception list that its using to pass traffic. Is there a way to capture this data? It would be great to be able to filter on rule name when viewing logs. 



This thread was automatically locked due to age.
  • Exceptions are cumulative.   The exception configuration for any single website may be derived from multiple Exception objects.   Instead the exceptions="list" token identifies all of the exceptions that were applied.   I think the complete list of tokens is:

    av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience

  • Hi Ashley and welcome to the UTM Community!

    Doug answered your question.  At the top of the 'Exceptions' tab in 'Filtering Options' is a [Find] button.  Just copy the domain name from the log there and you will see only the applicable Exceptions for the domain.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Our use case for this is more along the lines of looking at logs, ingested through Splunk, and being able to filter off of a name of an exception list not taking into account the checks for this.

    Seeing if a rule has been used, maybe to help us determine if an exception list is used(still used or perhaps last used) or which is the most used, finding a rule then filtering on particular servers, or being able to filter out when a particular one was used to correlate other events, among other uses.