This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to capture the exception list name in the logs?

While looking through Web Filtering logs in our UTM it provides a lot of information but does not appear to list the name of the exception list that its using to pass traffic. Is there a way to capture this data? It would be great to be able to filter on rule name when viewing logs.

This thread was automatically locked due to age.

0 DouglasFoster over 5 years ago

Exceptions are cumulative. The exception configuration for any single website may be derived from multiple Exception objects. Instead the exceptions="list" token identifies all of the exceptions that were applied. I think the complete list of tokens is:

av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago

Hi Ashley and welcome to the UTM Community!

Doug answered your question. At the top of the 'Exceptions' tab in 'Filtering Options' is a [Find] button. Just copy the domain name from the log there and you will see only the applicable Exceptions for the domain.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Ashley A over 5 years ago in reply to DouglasFoster

Our use case for this is more along the lines of looking at logs, ingested through Splunk, and being able to filter off of a name of an exception list not taking into account the checks for this.

Seeing if a rule has been used, maybe to help us determine if an exception list is used(still used or perhaps last used) or which is the most used, finding a rule then filtering on particular servers, or being able to filter out when a particular one was used to correlate other events, among other uses.
Cancel
Vote Up 0 Vote Down

Cancel