Fastvue Reporter for Sophos – Installation and Setup

Sophos Reporter works by consuming both real-time and archived Web Filtering log data from Sophos UTM. Sophos Reporter’s real-time dashboards and alerts rely on Syslog data to be sent from Sophos UTM to the Sophos Reporter machine.

Historical data can be imported from a log folder archive.

Fastvue Sophos Reporter Installer

1. Download and Install

Download Sophos Reporter and install on a machine (or virtual machine) that meets our recommended requirements for your network size.

Fastvue Sophos Reporter is designed for 64 bit Windows Server Operating Systems running Windows Server 2008 R2 or above (will also run on Windows 7, Windows 8 or above, but a server OS is preferred). The Web Server and Application Server Roles (.NET 3.5 and IIS) will be automatically installed and configured.
Network Size Recommended Server Specification
Less than 500 Users 4 CPUs/Cores, 6 GB RAM
500 – 1000 Users 4 CPUs/Cores, 8 GB RAM
1000 – 3000 Users 8 CPUs/Cores, 12 GB RAM
3000 – 5000 Users 8 CPUs/Cores, 16 GB RAM
5000+ Users 16 CPUs/Cores, 24 GB RAM

* Virtual environments are recommended so you can scale the resources as required.

Sophos Reporter uses its own customized database. When installing, you are asked where you would like the data location to be (defaults to C:\ProgramData\Fastvue\Sophos Reporter).

Sophos UTM archives the Web Filtering logs in compressed gzip format. Fastvue Sophos Reporter’s database is roughly 5 times the gzipped log file size, or 60% of the uncompressed log file size.

Compressed Gzip Web Filter Logs 12
Uncompressed Web Filter Logs 100
Fastvue Data Store 60

For example, if Sophos UTM logs 200 MB of compressed gzip Web Filtering logs per day, allow for 1 GB in Fastvue’s Data Location per day.

Alternatively, if Sophos UTM logs 1 GB of uncompressed Web Filtering logs per day, allow for 600 MB in Fastvue’s Data Location per day.

Sophos Reporter’s default data retention policy is 90 days or 50 GB, which ever comes first. This can be customized in Settings | Data Storage.

To install Fastvue Sophos Reporter:

  1. Double-click the downloaded setup exe on a machine that meets the above recommendations
  2. Proceed through the installation wizard to install the software.  The installation wizard will ask you for:
    • Installation folder (defaults to C:\Program Files\Fastvue\Sophos Reporter). Only application files are installed to this folder. It does not require much disk space.
    • Website and Virtual Directory (defaults to ‘Default Web Site’). If you have other websites installed on your server, it is a good idea to install Fastvue Sophos Reporter to a virtual directory such as ‘fastvue’ or ‘sophosreports’. Then you can access the site at http://yourserver/fastvue for example and it does not interfere with any other site on your server.
    • Data Location (defaults to C:\ProgramData\Fastvue\SophosReporter). This is the location where all imported data, configuration and report files are stored. Specify a location with plenty of disk space.

2. Configure Syslog

For Sophos UTM (SG):

Ensure Sophos UTM has the Web Filtering feature enabled and applied to your network, with at least one category set to block or warn. Then go to Web Admin | Logging and Reporting | Log Settings | Remote Syslog, and add the Fastvue server as a syslog server with these settings:

  • Server = Fastvue Reporter Server IP (add a new host object if necessary)
  • Port = Drag in the predefined SYSLOG protocol. If you already have a syslog application installed on the Fastvue machine, then use a custom port such as 50514.

Then check the ‘Web Filtering’ checkbox in the Remote Syslog Log Selection section and click Apply.

Sophos XG Firewall:

On your XG Firewall, ensure you have a firewall rule with a ‘Web Policy’ applied and the ‘Log Traffic’ checkbox checked.

Then go to Configure | System Services | Log and add the Fastvue server as a syslog server with these
settings:

  • Server = Fastvue Reporter Server IP
  • Port = Any unused port on Fastvue machine (514 is the default)
  • Facility = Daemon
  • Severity = Information
  • Format = Device Standard Format.

Then check the ‘syslog’ checkbox for the ‘Content Filtering’ log events (Web Filter and Application Filter).

3. Add a Source

Add the Sophos UTM as a Source in Sophos Reporter 2.0. This can be done on the start page that is presented after installation, or in Settings | Sources | Add Source.

It may take 10-20 seconds before the first records are imported. You can watch the records and dates imported in Settings | Sources. Once records start importing, you can go to the Dashboard tab to see your network traffic.

4. Enjoy!

Now you can test out the new features of Sophos Reporter 2.0 such as:

  • Fastvue Site Clean (works best with Sophos UTM 9.3 and above).
  • Private Report Sharing (including Scheduled Private Reports).
  • Export to CSV for all reports and report tables
  • Activity Report Gantt Bars
  • Search Terms in User Overview Reports
  • Support for new log field in UTM 9.3 and above (Referrer URL, User Agent & AD Domain)
  • Updated Alerts Interface
  • Memory usage improvements & many other bug fixes and minor improvements.

Backup Fastvue Sophos Reporter

1. Backup Sophos Reporter’s Data and Settings

If you want to upgrade your existing installation, we recommend backing up your existing settings and data first. This is as simple as making a full copy of the contents of Sophos Reporter’s data location, shown in Settings | Data Storage | Settings (default is C:\ProgramData\Fastvue\Sophos Reporter).

Tip: Compress the backup, especially the data.fvfs folder as this can be quite large.

Backup IIS Web Config File

2. Backup Custom IIS Settings (if applicable)

If you have secured the Sophos Reporter website with IIS or applied any other custom settings in IIS directly, you should also backup the web.config file in the website’s directory (usually under c:\inetpub\wwwroot\). The installer will attempt to also backup and restore this file for you, but this is a good idea just incase there is an issue with the installation.

Fastvue Sophos Reporter Installer

3. Upgrade / Installation

Once your current environment is backed up, simply run the new installer over the top of your existing installation to upgrade. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).

Note: This process upgrades the application only. Your existing data and reports are not affected and will be available as normal after the installation. However, the Dashboard and Alerts from the previous installation will be cleared and will start rebuilding as new data is imported.

4. Enjoy!

It may take 10-20 seconds before the first records are imported. You can watch the records count in Settings | Sources. Once records start importing, you can go to the Dashboard tab to see your live network traffic.

Now you can test out the new features of Sophos Reporter 2.0, such as:

  • Fastvue Site Clean (works best with Sophos UTM 9.3 and above).
  • Private Report Sharing (including Scheduled Private Reports).
  • Export to CSV for all reports and report tables
  • Activity Report Gantt Bars
  • Search Terms in User Overview Reports
  • Support for new log field in UTM 9.3 and above (Referrer URL, User Agent & AD Domain)
  • Updated Alerts Interface
  • Memory usage improvements & many other bug fixes and minor improvements.