Sophos UTM Reporting with WebSpy Vantage
To anaylze and report on your Sophos UTM (Previously Astaro) log files with WebSpy Vantage you need to:
- Configure your Sophos UTM to log HTTP/S messages to Syslog
- Importing your syslog files into WebSpy Vantage
Configure your Sophos UTM
This video (and subsequent step-by-step instructions) describes how to configure your Astaro Web Gateway (now Sophos UTM) device to create log files that you can import into WebSpy Vantage for analysis and reporting.
Configure your Sophos UTM to send log messages to a Syslog server
The best way to create and store Sophos UTM log files is using Syslog. This involves installing a third party syslog server, such as Kiwi Syslog, on a separate machine (can be the same machine running WebSpy Vantage), then setting up the Sophos UTM to send syslog messages to it. The syslog server then creates a log file containing these messages that can be imported into WebSpy Vantage.
To configure your Sophos UTM to send Syslog messages:
- Login to the Sophos UTM device using your admin credentials
- On the left hand side, select Logging | Settings
- Go to the Remote Syslog Server tab and click the Enable button if this section is disabled
- In the Syslog Servers section, click the plus button and add the Name or IP, and Port of your syslog server (see below).
- Click Apply in the Remote syslog settings section to save your syslog server configuration.
- Scroll down to the Remote syslog log selection section and check ‘Content Filter (HTTP/S).
- Scroll to the bottom of the page and click Apply to save your settings.
Configure your Syslog server
There are many commercial and open source syslog servers available, but one of the best syslog solutions is Kiwi Syslog. If using this product make sure you’re using the Kiwi Syslog ISO yyyy-mm-dd (Tab Delimited) format.
Importing your logs into WebSpy Vantage
This video (and subsequent step-by-step instructions) demonstrates how to import your Sophos log files into WebSpy Vantage, and illustrates some analysis examples. Note: This video references Astaro as it was created Sophos renamed it to Sophos UTM. The general steps are still the same. To import your Sophos log files into WebSpy Vantage:
- Go to the Storages screen and click Import Logs
- Create a new storage and click Next.
- Select Local or networked files and folders and click Next.
- Select the Sophos (or Astaro) loader and click Next.
- Click Add | Folder, and navigate to the folder where your Sophos UTM syslog files are kept. Avoid using mapped network drives here to allow imports to run when logged off (as a scheduled task). UNC paths such as \\servername\logs are preferred.
- Click OK to start importing your log files.
To anaylze and report on your Sophos log files with WebSpy you need to:
- Configure Sophos to log to an FTP server
- Import your log files into a storage
- Analyze your storage
- Report on your storage
You may also like to learn more about Summaries and Sophos Report templates and Aliases.
Configure Sophos to log to an FTP server
The Sophos Web Appliance can be configured to export log files to an FTP server.
To configure your Sophos Web Appliance to log to your FTP server:
- If you do not already have an FTP server that the Sophos Web Appliance can log to, try installing FileZilla Server (Free). It is a good idea to install the FTP server on the same machine that will run WebSpy Vantage. That way WebSpy Vantage will have fast, local access to the log files.
- In the Sophos Web Appliance web interface, go to Configuration > System > Backup.
- Enter the FTP server (e.g. ftp://192.168.1.100) and an optional path (e.g. /sophoslogs), along with credentials and click “Verify Settings.”
- Once the appliance successfully verifies the ftp location, check the “System logs at least once daily at midnight” checkbox and select “Sophos format” from the drop down list. The Sophos Web Appliance will then automatically upload log files to your FTP server at midnight.