This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

List of downloaded files

Is it possible to see the names of downloaded files, in addition to the download URLs?



This thread was automatically locked due to age.
Parents
  • Hi Janet,

     

    Unfortunately the appliance will not output specific file names in the reports.  However you can extract this information from the logs.

     

    In order to to do this you will need to output the sophos_log to a syslog server  configuration / system / alerts and monitoring / syslog tab

     

    Once you configure the syslog you will see packets like such

    h=192.168.5.16 u="-" s=200 X=+ t=1490976447 T=9747619 Ts=9 act=1 cat="-" app="-" rsn=- threat="-" type="application/octet-stream" ctype="application/octet-stream" sav-ev=5.35 sav-dv=2017.3.31.5350002 uri-dv=- cache=- in=324 out=12396816 meth=GET ref="-" ua="Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" req="GET http://getfetch.com/Fetch_5.7.6.dmg HTTP/1.1" dom="getfetch.com" filetype="-" rule="0" filesize=12396549 axtime=0.079191 fttime=0.000070 scantime=0.002 src_cat="-" labs_cat="-" dcat_prox="-" target_ip="68.178.150.1" labs_rule_id="0" reqtime=0.003 adtime=0.000000 ftbypass=- os=Linux authn=0 auth_by=- dnstime=0.147943 quotatime=- sandbox=-

    You would have to configure the syslog server (usually a script, or sed/awk/cut will work)   

    the ctype will indicate a file download

    the req string can be pulled for the address 

    and you could parse out the file name with a regex in the req line

    you could also grab the domain field, filesize and ip as well as the scan time if needed.

    see : http://wsa.sophos.com/docs/wsa/webhelp/index.html#swa/concepts/InterpretingLogFiles.html

    for a complete list of the log content.

     

    This may make a good feature request, unfortunately I can not create it for you however you could post it here and link this message in the comments.

    http://ideas.sophos.com/forums/143211-sophos-web-gateway

Reply
  • Hi Janet,

     

    Unfortunately the appliance will not output specific file names in the reports.  However you can extract this information from the logs.

     

    In order to to do this you will need to output the sophos_log to a syslog server  configuration / system / alerts and monitoring / syslog tab

     

    Once you configure the syslog you will see packets like such

    h=192.168.5.16 u="-" s=200 X=+ t=1490976447 T=9747619 Ts=9 act=1 cat="-" app="-" rsn=- threat="-" type="application/octet-stream" ctype="application/octet-stream" sav-ev=5.35 sav-dv=2017.3.31.5350002 uri-dv=- cache=- in=324 out=12396816 meth=GET ref="-" ua="Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" req="GET http://getfetch.com/Fetch_5.7.6.dmg HTTP/1.1" dom="getfetch.com" filetype="-" rule="0" filesize=12396549 axtime=0.079191 fttime=0.000070 scantime=0.002 src_cat="-" labs_cat="-" dcat_prox="-" target_ip="68.178.150.1" labs_rule_id="0" reqtime=0.003 adtime=0.000000 ftbypass=- os=Linux authn=0 auth_by=- dnstime=0.147943 quotatime=- sandbox=-

    You would have to configure the syslog server (usually a script, or sed/awk/cut will work)   

    the ctype will indicate a file download

    the req string can be pulled for the address 

    and you could parse out the file name with a regex in the req line

    you could also grab the domain field, filesize and ip as well as the scan time if needed.

    see : http://wsa.sophos.com/docs/wsa/webhelp/index.html#swa/concepts/InterpretingLogFiles.html

    for a complete list of the log content.

     

    This may make a good feature request, unfortunately I can not create it for you however you could post it here and link this message in the comments.

    http://ideas.sophos.com/forums/143211-sophos-web-gateway

Children