Sophos Web Protection Appliance Reporting with WebSpy Vantage
To anaylze and report on your Sopphos log files with WebSpy you need to:
- Configure Sophos to log to an FTP server
- Import your log files into a storage
- Analyze your storage
- Report on your storage
Configure Sophos to log to an FTP server
The Sophos Web Appliance can be configured to export log files to an FTP server.
To configure your Sophos Web Appliance to log to your FTP server:
- If you do not already have an FTP server that the Sophos Web Appliance can log to, try installing FileZilla Server (Free). It is a good idea to install the FTP server on the same machine that will run WebSpy Vantage. That way WebSpy Vantage will have fast, local access to the log files.
- In the Sophos Web Appliance web interface, go to Configuration > System > Backup.
- Enter the FTP server (e.g. ftp://192.168.1.100) and an optional path (e.g. /sophoslogs), along with credentials and click “Verify Settings”.
- Once the appliance successfully verifies the ftp location, check the ‘System logs at least once daily at midnight’ checkbox and select ‘Sophos format’ from the drop down list. The Sophos Web Appliance will then automatically upload log files to your FTP server at midnight.
Once log files have been generated by Sophos you can import them into a storage in WebSpy Vantage to begin analyzing and reporting.
Importing into a Storage
Before you can start analyzing and reporting on your Sophos logs, you need to import your log file data into a storage. Storages are optimized for quick data access so you can analyze and report on the data you are interested in faster.
The Input Dialog wizard is used to import log files. This wizard can also be launched by clicking Import logs on the Inputs pane.
- On the ‘Storages’ page, enter a name for a new storage or select an existing storage to import to.
- On the ‘Input Type’ page select either:
- Import from local or networked files and foldersSelect this option if you have local or network access to the log files that the FTP server has filed.
- Online files and folders (ftp) Select this option if you do not have local or network access.
- Select the Sophos format on the ‘Loader Selection’ page.
- On the ‘Input Selection’ page:
- If importing from an FTP site, click Add and enter the location of your FTP Server, leave the file mask set to * and click OK.
- If importing from local or networked files and folders, click Add | Folder and browse to the folder that your FTP server is writing the log files to. Leave the file mask set to * and click OK.
- Leave the Filters, File Selection and Partitions pages as default and then click OK to begin importing your data.
As Vantage imports your Sophos logs, you can view the progress of the import on the Storages dock. The Storages dock displays the size of the log file (illustrated as size imported / total size), the number of records imported, and the percentage complete (shown in the progress column).
Download Sophos Report Templates and Aliases
If you download WebSpy’s Sophos Report template file, you can easily create reports that are customized for your Sophos log files. Note: You must also download and open the Sophos Aliases file for these reports to function correctly (see below).
To open the Sophos report templates in Vantage:
- On the ‘Reports’ tab, click the Open templates link.
- Navigate to the location of your Sophos template file and select it.
- Click Open.
- Select your merging option (WebSpy recommends ‘Keep existing template AND add new template) and click Merge.
You should now be able to see the new Sophos report templates on the Report screen. Click the Generate report button to run the report on your Sophos storage. See the ‘Reporting on your storage’ section below for more information.
If you download WebSpy’s Sophos Aliases file, you can easily apply Sophos specific aliases to improve your experience whilst running Analyses on the Summaries screen. These aliases are also used in the Sophos Report templates (see above).
To import these aliases into Vantage:
- On the ‘Aliases’ tab, click the Open Aliases link.
- Navigate to the location of your Sophos aliases file and select it, then click Open.
Your Sophos aliases can now be seen in the list of aliases. See ‘Analyzing your storage’ below for more information on applying these aliases.
Analyzing your Storage
Running an Analysis is the process of reading the information in your storage and creating Summaries. Summaries can be interactively browsed and filtered using the Summaries screen, enabling you to drilldown into all areas of your network activity.
Run an Analysis
To run an analysis on your Sophos storage:
- Click the Summaries tab at the top of the screen.This takes you to the Summaries screen.
- Click the New Analysis link in the ‘Summaries’ task pad to launch the Create Analysis dialog.
- Select your Sophos storage from the Storage list.
- Select Sophos Web Security Appliance from the Schema list and then click Next.
- On the ‘Analysis Type’ page, select the ‘Ad-hoc Analysis’ radio button and ensure ‘Use precalculated analysis if available’ checkbox is checked.Note: You can also select Template-based Analysis and select any of the pre-defined report templates. This will run a standard report (see Reporting section below) but the Summaries screen provides the ability to drilldown beyond the bounds of the report if you find something that you would like more details on.
- Select any filters or summaries that you desire and then click OK to finish the wizard.
Once your analysis is complete, the Summaries are listed on an Overview screen, and clicking a summary displays the underlying information.
You can drilldown further into your data by right-clicking on any hyperlinked item and selecting Drilldown from the pop-up menu. When you drilldown, Vantage runs another analysis to retrieve the next group of Summaries from your storage. For example, Select the Users summary to display a list of users in your organization. Sort this list by ‘Bytes In’ to view who has downloaded the most. Right-click this user and select Drilldown | Site Domains to view the Websites they downloaded from
Using the Sophos Aliases
Aliases enable you to define an alternative name for a data item or group of data items, which you can choose to display when viewing your data in Summaries or Reports.
Aliases can be used to translate names or IP addresses into a more useful form. This means that a user’s or web site’s name can be viewed instead of its IP address, or a type of file rather than the file extension.
Vantage comes with a list of default aliases that you can use for common reporting requirements. In addition to the default aliases, you can download Sophos specific aliases.
Action Alias If you apply the ‘Action’ alias to the Action Summary, items will be display as ‘Allowed’ or ‘Blocked’. To do this:
- Select the ‘Action’ summary.
- In the Aliases task pad (on the left), select the ‘Action’ alias.
Sophos Categories Alias If you apply the ‘Sophos Categories’ alias to the Category Summary, items will be displayed using the Category names. To do this:
- Select the ‘Category’ summary.
- In the Aliases task pad (on the left), select the ‘Sophos Category’ alias.
Risk Alias If you apply the ‘Risk’ alias to the Category Summary, items will be displayed using the Risk levels. To do this:
- Select the ‘Category’ summary.
- In the Aliases task pad (on the left), select the ‘Risk’ alias.
Productivity (Sophos) Alias If you apply the ‘Productivity (Sophos)’ alias to the Category Summary, items will be categorised as unproductive, productive and uncertain. To do this:
- Select the ‘Category’ summary.
- In the Aliases task pad (on the left), select the ‘Productivity (Sophos)’ alias.
Reporting on your Storage
Vantage enables you to produce report documents which you can send to other members of your organization, or archive.
The Reports dock enables you to configure report templates which you can then generate on your open storages. You can also view previously created reports using this dock.
You can also create custom reports for the Sophos data you are reporting on or download Sophos report templates.
Generating a Report
To generate a report on your Sophos log data:
- Click the ‘Reports’ tab at the top of the screen. This takes you to the Reports dock.
- Select the tab that contains the Report Template you want to generate.
- Click the name of the report you want to generate.
- In the ‘Template Editor’ panel, click Generate report. This launches the Generate Report dialog.
- On the ‘Storages’ page, check the storage that contains your Sophos log data. Click Next.
- On the ‘Format’ page, select the format for the report. Click Next.
- On the ‘Publish’ page, enter a name for the report, and select Display the report using the default viewer if you would like the report to open after it has been generated.
- Leave the Filters, File Selection and Partition pages as default and then click OK to generate the report.
After Vantage has generated your report, it will be displayed using the default viewer for the format you selected. This report has also been saved in the Report Manager on the Reports dock.