Many log file analysis applications, including Fastvue Sophos Reporter, consume Syslog messages from the device being monitored. This is great for seeing a live view of network traffic, but if the server goes offline temporarily (such as when you perform a reboot after patching), the syslog messages sent during that time are lost, leaving gaps in your reporting data.
Fortunately, Fastvue Sophos Reporter takes precautions to ensure the integrity and accuracy of reporting data is maintained even when it is not available to receive syslog messages. It does this by utilizing Sophos UTM's Remote Log Archive feature to fill in the blanks if the syslog stream is interrupted.
In addition to Syslog, Sophos UTM also has the option of saving its logs to a Remote Log File Archive server on a daily basis. At midnight each night, Sophos UTM will copy the previous day's log files to the remote log archive share.
Fastvue Sophos Reporter can be configured to import the historic data from this location in addition to consuming the live syslog messages. Not only does this give you access to historical data to investigate previous incidents, but it also gives you a fault tolerant, dual import strategy to fill in any gaps in the syslog data.
Enabling this great functionality can be done in three easy steps.
Using a Windows shared folder is the simplest way of configuring this. A Windows file share can also be referred to as a SMB or CIFS share. This does not have to be on the Fastvue Sophos Reporter server itself, but the Fastvue Sophos Reporter service will need read access to the share (local System account by default).
To create a shared folder:
This setting will instruct the Sophos UTM device to pack all the logs for the day into a compressed file and copy it to the file share. I am going to work under the assumption that you already have a host specified. As shown here https://vimeo.com/78974684.
In the screenshot above, you can see the Fastvue Sophos Reporter server “labs2” has a share on it called “Export”. The domain name is LABS and the user account I am using is "vantage".
I am going to work under the assumption that you already have a syslog Source specified in Settings | Sources. If not, click Add Source to add your Sophos UTM as a source. We will edit that source to simply add the historic log location.
That’s all there is to it!
At midnight each night, Sophos UTM will copy the previous day's log files to the remote log archive share. Fastvue Sophos Reporter will detect these new files and import any data that has not already been imported from the previous day's syslog stream.
Configuring the Sophos UTMs remote log archive and Fastvue's historic data import features are a great way to ensure you never miss potentially important reporting data. With very little configuration Fastvue Sophos Reporter will take care of everything and provide reports that are accurate and easy to use, even if the syslog process is disrupted.
If you have issues configuring Sophos UTM's Remote Log Archive feature, see my other article on Troubleshooting Sophos UTM's Remote Log Archive.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Filtering and Forwarding Sophos UTM Syslog Data with Syslog-ng
Sophos RED Deployment Modes Explained - Choosing The Right One For You