This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

General Logging Query - Sophos UTM

Hi folks,

We have a pair of SG450 Hardware Appliances (Hot Standby Mode) running UTM Version 9.703-3 acting as Web Proxy Firewalls.

Our UTMs are configured to syslog their Web Filtering Logs to a remote server which has a third-party log analyser installed.

We periodically receive Freedom Of Information (FOI) Requests asking for sites visited and/or blocked by our users and our third-party analyser can do this quite efficiently.

However, when running two instances of the exact same query locally on the Sophos UTM using View Log Files > Search Log Files > Web Filtering I have noticed a discrepancy in the number of results returned when I select the option Only Display Page Requests. This is for the exact same query ran with, and then without this option selected.

My question is therefore, what is the difference when this option is selected? When this option is selected does it mean the log entries of only those pages a user actively requested are returned? Is there a particular field entry in the Web Filtering Log which indicates that the user deliberately attempted to access a site as opposed to all of the other 'fluff' which is generated when accessing a web page?

This would greatly assist me in creating more accurate reports in reply to FOI Requests.

Any advice would be much appreciated.

Best regards,

 

John P



This thread was automatically locked due to age.
Parents
  • For https traffic with https inspection off, UTM logs one entry per session (method=Comnect)  This is becausr encryption prevents UTM from doing any better.

    For http or https with inspection on, UTM logs each page request (method=Get. or Post, as well as connect.)

    I think page request only is picking up Get and Post, missing all https traffic

    The only meaningful way to conbine the two types of entries is aggregating on the size field

  • Hi Douglas,

     

    Thank you for your reply and apologies for my tardiness in acknowledging it until now.

    I'm still seeing Get, Post, Connect etc. in results from both queries. Both queries covered the exact same time period, yet returned different results (number-wise) because of the additional option.

    I have raised a call with Sophos to see if they can explain exactly what the difference selecting the 'Only Display Page Requests' makes in running a query on the Web Filtering Logs.

    Will post any updates.

     

    Best regards,

     

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Reply
  • Hi Douglas,

     

    Thank you for your reply and apologies for my tardiness in acknowledging it until now.

    I'm still seeing Get, Post, Connect etc. in results from both queries. Both queries covered the exact same time period, yet returned different results (number-wise) because of the additional option.

    I have raised a call with Sophos to see if they can explain exactly what the difference selecting the 'Only Display Page Requests' makes in running a query on the Web Filtering Logs.

    Will post any updates.

     

    Best regards,

     

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Children
No Data