When you have an active-passive Sophos UTM cluster, the configuration is synchronized between the nodes, but if the Master fails, it may not sync all the log data to the Slave node. From the WebUI, there is no method to view the files on the Slave device, yet those log files can contain information about the cause of the failure. This guide takes you through how to retrieve log files from a Sophos UTM cluster slave node and copy the file(s) to your local machine for analysis.
Sophos UTM enables you to specify multiple destination syslog servers, but they will all receive the same syslog information. This is inefficient when some of your syslog servers only require certain log messages for specific purposes.
This article explains how to configure syslog-ng to filter and forward Sophos UTM syslog data to multiple syslog servers with different data requirements.