As mentioned in my previous article, configuring Sophos UTM's Remote Log Archive feature not only gives you access to historical data for reporting on previous incidents, but it can also be used in Fastvue Sophos Reporter to fill in any gaps if the syslog stream is interrupted.
After configuring the Remote Log Archive feature, you should check the shared folder the next day for new log files, as Sophos UTM's archive procedure occurs at midnight each night. If no files have been copied, or if you can't wait until midnight to test, here is a useful test procedure.
Unfortunately, there is no handy Test button to verify if your remote log archive is working correctly. The troubleshooting process below is a little lengthy, but not difficult, and gives you a command you can run to test the log archive process.
First of all, you need to get to the command line of the Sophos UTM and the way to do this is to enable shell access.
You will execute this on the Sophos UTM and then check for the output file in your file share.
logarchiver.plx -t -d 15
This will force the Sophos UTM to attempt to create small text file in the remote log archive location. The output from the command is quite verbose but provides you with relevant information as to why the remote log archive process has succeeded or failed.
I hope this helps anyone having issues with the Sophos UTM's Remote Log Archive feature. Good luck!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Never Miss Reporting Data With Sophos UTM's Remote Log Archive
Repurposing Sophos Hardware as a Multifunctional Virtual Server