Sophos UTM 9, I am forwarding logs via syslog to ELK, the problem I have is that Application Control logs are only being forwarded one way (internal > external) but not the other way around.
This becomes very clear when I create some charts to calculate the total bandwidth consumed by each application using the "length" field and so the totals are not relevant by any means.
Under the Web Protection, It's reflected accurately though so I am not sure what the source of the problem here is.
Already have an Application Control rule at the bottom to "Allow all and log".
I already checked the "Application Control" under syslog so that's not the issue.
With "Application Control" it's the same as "firewall Packet filter" ... you see, controll (and log) the initial packets only.
It's not usable to calculate the total amount of data.
Thanks Dirk for your response, to me this is a bit of a surprise because with the Web Filter, I am able to use the "size" field to calculate accurately the bandwidth usage of each domain/web app.
There is no way whatsoever to do it in Application Control it seems...