How To – Sophos UTM Reporting with WebSpy Vantage

Sophos UTM Reporting with WebSpy Vantage

To anaylze and report on your Sophos UTM (Previously Astaro) log files with WebSpy Vantage you need to:

Configure your Sophos UTM

This video (and subsequent step-by-step instructions) describes how to configure your Astaro Web Gateway (now Sophos UTM) device to create log files that you can import into WebSpy Vantage for analysis and reporting.

  1. Configure your Sophos UTM to send log messages to a Syslog server

    The best way to create and store Sophos UTM log files is using Syslog. This involves installing a third party syslog server, such as Kiwi Syslog, on a separate machine (can be the same machine running WebSpy Vantage), then setting up the Sophos UTM to send syslog messages to it. The syslog server then creates a log file containing these messages that can be imported into WebSpy Vantage.

    To configure your Sophos UTM to send Syslog messages:

    1. Login to the Sophos UTM device using your admin credentials Sophos UTM Reporting - Login Page screenshot
    2. On the left hand side, select Logging | Settings
    3. Go to the Remote Syslog Server tab and click the Enable button if this section is disabled Sophos UTM Reporting - Add syslog server screenshot
    4. In the Syslog Servers section, click the plus button and add the Name or IP, and Port of your syslog server (see below). Sophos UTM Reporting - Add syslog port screenshot Sophos UTM Reporting - Save syslog server screenshot Sophos UTM Reporting - Saved syslog server screenshot
    5. Click Apply in the Remote syslog settings section to save your syslog server configuration.
    6. Scroll down to the Remote syslog log selection section and check ‘Content Filter (HTTP/S). Sophos UTM Reporting - Enable content filter log screenshot
    7. Scroll to the bottom of the page and click Apply to save your settings.
  2. Configure your Syslog server

    There are many commercial and open source syslog servers available, but one of the best syslog solutions is Kiwi Syslog. If using this product make sure you’re using the Kiwi Syslog ISO yyyy-mm-dd (Tab Delimited) format. Sophos UTM Reporting - Kiwi syslog configuration screenshot

Return to top

Importing your logs into WebSpy Vantage

This video (and subsequent step-by-step instructions) demonstrates how to import your Sophos log files into WebSpy Vantage, and illustrates some analysis examples. Note: This video references Astaro as it was created Sophos renamed it to Sophos UTM. The general steps are still the same. To import your Sophos log files into WebSpy Vantage:

  1. Go to the Storages screen and click Import Logs
  2. Create a new storage and click Next. Vantage screenshot 1
  3. Select Local or networked files and folders and click Next. Vantage screenshot 2
  4. Select the Sophos (or Astaro) loader and click Next. Vantage screenshot 3
  5. Click Add | Folder, and navigate to the folder where your Sophos UTM syslog files are kept. Avoid using mapped network drives here to allow imports to run when logged off (as a scheduled task). UNC paths such as \\servername\logs are preferred. Vantage screenshot 4 Vantage screenshot 5
  6. Click OK to start importing your log files. Vantage screenshot 6

Return to top

To anaylze and report on your Sophos log files with WebSpy you need to:

You may also like to learn more about Summaries and Sophos Report templates and Aliases.

Configure Sophos to log to an FTP server

The Sophos Web Appliance can be configured to export log files to an FTP server.

To configure your Sophos Web Appliance to log to your FTP server:

  1. If you do not already have an FTP server that the Sophos Web Appliance can log to, try installing FileZilla Server (Free). It is a good idea to install the FTP server on the same machine that will run WebSpy Vantage. That way WebSpy Vantage will have fast, local access to the log files.
  2. In the Sophos Web Appliance web interface, go to Configuration > System > Backup.
  3. Enter the FTP server (e.g. ftp://192.168.1.100) and an optional path (e.g. /sophoslogs), along with credentials and click “Verify Settings.”
  4. Once the appliance successfully verifies the ftp location, check the “System logs at least once daily at midnight” checkbox and select “Sophos format” from the drop down list. The Sophos Web Appliance will then automatically upload log files to your FTP server at midnight.