IPS does not show in reports

I can see IPS log entries when I manually inspect the IPS log files but the IPS portion of the daily executive report has been blank for months. I used to see IPS entries in almost every daily report.

Also, zero is reported for all IPS statistics on all of the tabs (including the IPS tab) when I go to Logging & Reporting->Network Protection.

Is there a setting that I have inadvertently changed, was IPS reporting changed in a release or is this a bug? All other reporting seems okay.

Maybe I missed it but my forum searches did not turn up a list of IDs or types (e.g., info, warn, error) of IPS log entries which are ignored by reporting. I find it odd that I went from almost daily IPS attacks being reported to none. The only thing that comes to mind is that, months ago, I switched from using a DNAT to using the WAF for a particular server.

Added context
[edited by: jeffshead at 12:32 PM (GMT -7) on 20 Sep 2021]
  • Indeed!

    secure:/root # zgrep portscan /var/log/ips/2021/*/*|wc -l

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for checking, Bob!

    gateway:/root # zgrep portscan /var/log/ips/2021/*/*|wc -l

    The IPS log for 2021-07-06 has 4,984 log entries. Those 34 events in the graph are all the same as the line below:

    2021:07:06-12:51:34 gateway snort[22389]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="" dstip="" proto="17" srcport="39509" dstport="53" sid="28039" class="Misc activity" priority="3" generator="1" msgid="0"


    9.707-5 Sophos UTM Software Home Edition
    Installed on a Dell OptiPlex XE SFF:

    • Intel® Core™2 Duo Processor E8600
      • 6M Cache, 3.33 GHz, 1333 MHz FSB
    • 8GB RAM