How To Configure Sophos Logging and Reporting (UTM, XG & SWG) 2018-02-14T06:01:58+00:00
Reporting on Sophos Log Files with WebSpy Vantage

How to Configure Sophos Logging and Reporting 

Before You Begin – See Fastvue Reporter for Sophos

We have another product dedicated to making reporting on Sophos simple and easy. Fastvue Reporter for Sophos (UTM & XG) and Fastvue Reporter for Sophos Web Appliance include live dashboards, alerts, and historical reporting, all preconfigured to show everything you need to know about employee Internet usage, bandwidth and how your network is operating.

For Sophos UTM and XG

Fastvue Reporter For Sophos UTM & XG >

For Sophos Web Appliance (SWG)

Fastvue Reporter For Sophos Web Appliance >

Why WebSpy Vantage?

If you need full flexibility over the content of your reports, WebSpy Vantage provides a comprehensive report templating and data aliasing engine that is not available in Fastvue Reporter for Sophos . If that is something you need, then please see the guide below on configuring Sophos logging and reporting with WebSpy Vantage.

Fastvue Syslog Logo
Fastvue Syslog Server

1. Install a Syslog Server

There are a range of syslog servers available for all operating systems, and Linux systems have an inbuilt system called Syslog-ng that you can use. For Windows Systems, you need to install a third party product to collect and log the syslog messages. We have a free tool for Windows for this called Fastvue Syslog. It simply listens on the port you specify (514 by default) and writes syslog messages out to text files which can then be imported into WebSpy Vantage. Fastvue Syslog will also compress and archive logs after 30 days (configurable), and can forward syslog data to another server. To get started with Fastvue Syslog:

  1. Download the Free Fastvue Syslog Server
  2. Install Fastvue Syslog on a Windows Server and launch the Web UI in a modern browser (Chrome is recommended)
  3. The initial configuration page lets you set where you would like logs and archives to be stored, listening ports (514 by default) and web UI login details. Ensure ‘Auto-Discover Syslog Sources’ is checked.
  4. Once configured, you should see your Sophos device appear as a source on the left hand side (Note: If your Sophos devices does not automatically appear, try using Google Chrome as IE has known issues, especially when running on a server with IESC enabled).
  5. Click the Cog icon in the top right corner to see the path where your logs are being created. By default this is C:\ProgramData\Fastvue\Syslog Server\Logs\. A folder is created for each device sending syslog messages. Navigate to this folder in Windows Explorer to see the log files being created.

Once your syslog server is successfully creating text log files, you can import this into WebSpy Vantage.

Install Fastvue Syslog

Configuring Syslog on Sophos UTM (SG)

Configuring Sophos XG Logging - Syslog

Configuring Syslog on Sophos XG

Centrally Logging Sophos Syslog Data with Fastvue Syslog

Sophos Syslog Text Files created in Fastvue Syslog

2. Configure Sophos to send Syslog messages

Once you have Syslog Server running, you need to configure your Sophos device to send syslog messages to it.

The syslog options vary depending on your Sophos product:

Enable the Web Filtering Feature

  1. Login to the Sophos UTM’s Web Admin interface
  2. Go to Web Protection | Web Filtering
  3. Click the toggle button at the top of the screen to enable Web Filtering.
  4. Ensure clients are using the Sophos UTM as their web gateway / proxy.

Enable Syslog

  1. Login to the Sophos UTM’s Web Admin interface
  2. Go to Logging and Reporting | Log Settings | Remote Syslog Server
  3. Click the switch button to the Right to enable Remote Syslogging

Create the Syslog Server

  1. In the Syslog Servers box, click the Add button. Give the Syslog Server a name such as Fastvue Syslog
  2. Click the Plus button next to the Server box and enter the details for the Fastvue Sophos Reporter machine. Or if you have the Fastvue Sophos Reporter machine already configured as a network object, click the Folder button and drag the object onto the server field.
  3. Click the Folder button next to the Port box to open the Services list on the left hand side. Use the Search at the top to search for Syslog. This should return a result for Syslog (Remote Logging Protocol).
  4. Drag the Syslog service onto the Port box.
  5. Click Save then Apply.

Select the Web Filtering log sub-system

  1. Scroll down to the Remote Syslog Log Selection section
  2. Check the Web Filtering option.
  3. Click Apply.

On your XG Firewall, go to Configure | System Services | Log Settings and add the Fastvue server as a syslog server with these settings:

Server = Fastvue Reporter Server IP
Port = Any unused port on the Fastvue machine (514 is the usual default for syslog)
Facility = Daemon
Severity = Information
Format = Device Standard Format.

Then check the ‘syslog’ checkbox for the ‘Content Filtering’ log events.

Ensure Sophos Web Appliance (Secure Web Gateway – SWG) is configured to send Syslog messages to the Fastvue Sophos Reporter machine. This is done in Configuration | System | Alerts and Monitoring | Syslog. Simply select ‘Enable syslog’ and enter the hostname or IP of the Fastvue server. Port 514 UDP and click Apply. Ensure Port 514 (or the syslog port you chose above) is not firewalled on the Syslog Server machine

Note: Sophos Web Appliance only supports a single syslog server. If you are already using the syslog server, Fastvue Syslog includes a syslog forwarding feature. You can therefore send syslog messages to the Fastvue Syslog machine, and forward the messages on to your existing syslog server.

Once configured, your Syslog server should start receiving syslog messges, and logging them to text files that can be imported into WebSpy Vantage.

Importing Sophos Syslog Files into WebSpy Vantage

Importing Sophos Syslog text files into WebSpy Vantage

Importing and Reporting on Sophos Log Files as a Daily Task

Automating the process of importing and reporting on Sophos log files as a Daily Task

3. Importing Sophos Logs into WebSpy Vantage

WebSpy Vantage imports text log files from over 200 common network devices, into its own database format called a Storage. You can then use this Storage for analysis and reporting, you can  regardless of whether the original log file has been moved, archived or deleted. To import your Sophos logs into WebSpy Vantage:

  1. In WebSpy Vantage, go to the Storages tab and click Import Logs
  2. Create a new storage and call it Sophos , or anything else meaningful to you. Click Next.
  3. Select Local or Networked Files or Folders and click Next.
  4. Select the Sophos loader and click Next.
  5. Click Add | Folder and select the folder where your Sophos log files are stored. If you’re using the Fastvue Syslog Server above, the default folder is C:\ProgramData\Fastvue\Syslog Server\Logs\{sophos_host}. Ignore the last three pages of the Import Wizard and click OK to begin the import process.

Your log files will start importing into your WebSpy Vantage Storage, and you can use this storage for Analysis and Reporting from this point on. You can even delete the original log file data once it has been imported.

Now that you have created a storage that is pointing to your Sophos’ log data, it is a good idea to automate the process of importing new logs each night. To do this:

  1. In WebSpy Vantage, go to the Tasks tab and click New Task.
  2. Call the Task Daily Task and proceed through the short wizard to create a task with a Daily schedule running at 1 am in the morning.
  3. Once the Task has been added, select the next task and click Add Action | Import new hits to existing storage
  4. Select the Sophos Storage you created above and ensure Resume import from last position is selected. Click OK to add the action.

WebSpy Vantage will now automatically import logs new log files each night at 1 am. As this storage will grow until you run out of disk space, it is a good idea to add a data retention policy using the Purge data from storage task action. To do this:

  1. Still on the Tasks tab, select the Task you created above and click Add Action | Purge Data from Storage
  2. Select your Sophos storage and click Next. Select your desired data retention, such as Purge data older than 3 months. (The WebSpy Vantage storage will be about 80% of the size of your Sophos syslog files).

WebSpy Vantage will now automatically purge data from your storage once it has imported new logs files.

Organization Import Directory Server Page

Entering Directory Server details

Organization Import LDAP Source - Quick Queries

Selecting LDAP Root DN and Search Query.

Organization Import - User Details Page

Using LDAP attributes for username aliasing and Web Module login names.

Organization Import Grouping Using the Departments Attribute

Grouping users by LDAP attributes and/or OUs.

Organization Import - Merging Page

LDAP import merging options.

Imported Organization showing Departments and Offices

A successfully imported Organization tree.

4. Import Your Organization

When your Sophos device is configured to authenticate users using AD SSO / LDAP authentication, it will log authenticated usernames along with traffic. WebSpy Vantage can import information from Active Directory to alias these authenticated users into real names (first name last name), departments, offices and OUs.

To do this, go to the Organization tab and click Import Organization.

On the Directory Server page, select your directory type and server, along with a username (in domain\username format) and password to authenticate with your directory server, and click Test. Click Next after you have successfully connected to your directory server.

Select a Root Distinguished Name to search for users within (for example, ‘dc=mydomain, dc=com’) from the dropdown list. If your users are contained within a specific OU, select the ‘‘ button to select the OU in your directory.

The LDAP search query defaults to a query that returns ‘user accounts’. It’s important to note that WebSpy Vantage’s licensing is based on ‘number of users’, so if necessary, use the Quick Queries drop-down to change the LDAP search query and import a more specific set of user accounts, such as enabled users with an email address. WebSpy Vantage will import all users up to the license limit, which is unlimited during your trial. Click Next.

The User Details page defines how Vantage maps user objects in your Directory to authenticated usernames in your log files, as well as configuring user login names for the Web Module, the email address to send report notifications to, and the attribute to use to find a user’s manager.

If you are using Active Directory, you choose Use Active Directory Defaults. WebSpy Vantage will attempt to detect the name of your domain, and prefix this to all account names to automatically create a web module login name for each user.

If your domain prefix on user accounts is different to your computer network’s domain name, click Custom, then check the Prefix checkbox and enter the required domain prefix.

The Grouping page enables you to configure how you would like users grouped, such as by Departments, Offices, OUs etc. User Objects in Active Directory have a number of attributes, including department, office, description, company, and you can also place user objects in OU containers, and configure attributes on those containers. WebSpy Vantage can hook into any of these attributes to group your users for the purpose of reporting.

By default, there are two groups specified: Offices (using the ‘physicalDeliveryOfficeName’ attribute in Active Directory) and Departments (using the ‘department’ attribute in Active Directory).

If a user does not have one of these values populated in Active Directory, then they will be imported into the ‘Unknown’ department and office respectively. Alternatively, you can uncheck the Import Ungrouped Users option at the bottom of the Grouping page.

You can edit or delete these groups as necessary.

When adding or editing a group:

  1. First, enter the name of the Group into the Name field. This is up to you and should represent what the group is, such as ‘Departments’, ‘Locations’, ‘Business Centers’ etc. (Note, there are a few default Report Templates that use ‘Departments’ so use the word ‘Departments’ in one of your grouping levels utilize these reports).
  2. Enter the exact name of the attribute into the Attribute field. For example, enter ‘physicalDeliveryOfficeName’ to import the Office attribute from Active Directory. To import the name of an OU, use the attribute ‘OU’.

    By default, Active Directory Users and Computers hides the real attribute names. You can change this by selecting View | Advanced Features to show the Attribute Editor with real attribute names when editing a User or OU.

  3. Relative to user:
    Use this option if the attribute is located on the user object itself or on one of its parent OU containers. For example, if you are using the ‘Department’ attribute on the user objects, then select Relative to user and select User node. Or if your users are in a consistent OU structure, specify either Parent of the user node, or Node ‘n’ levels above to access the attribute on the appropriate parent OU container.
  4. Relative to root:
    Use this option to select OUs relative to the Root Distinguished Name that you specified on the Directory Server page. For example, if you have defined OUs for all your Offices directly underneath your Root DN, with user objects located anywhere underneath those OUs, then use the Immediate children of Root option, or the Children ‘n’ levels below Root option. For inconsistent OU structures, you can use the Single group from Root node option, and use the Import Organization wizard multiple times (usually configured with multiple task actions within a Task) with the Merge options set appropriately, to create groups from multiple Root DNs in your directory.
  5. Click OK to add your Grouping level.

Tip: Later, you’ll need to configure Web Module access permissions for people and/or groups. To create a default set of permissions that apply to your entire organization, create a top-level group using an attribute that everyone is a member of. For example, call the group ‘Domain’ and use the attribute ‘dc’.

Once you have specified all the Groups you would like to use in your reporting process, click Next.

The Merging page enables you to use the Import Organization wizard multiple times, and merge the results into your existing Organization structure. For example, first import your Organization from one domain (or one Root DN on your domain), with the Overwrite existing organization tree option set to create an initial Organization tree, then run the Import Organization wizard again to import your Organization from another domain (or a different Root DN on your domain) and merge the results into your existing Organization tree.

The Merge options enable to you to keep or remove users that can no longer be found in the directory, as well as keep or update existing user’s details. Use the ‘keep users / keep details’ options if importing from a different domain or root DN.

Note: When merging, only users that have previously been added from your LDAP/LDIF directory will be affected. Users that have been manually added will not be affected.

Click OK to complete the Import Organization wizard and begin the import. Once the import is complete you will see you the Organization tree displayed. You can use the View drop-down list at the top of the Organization tree to display your groups, or your manager/subordinate hierarchy.

You can automate the process of importing your Organization using the Tasks tab.

  1. Go to the Tasks tab and select or create new task that runs on the desired schedule.
  2. Click Add | Import Organization from LDAP
  3. Follow the wizard to configure the options for importing your organization as above.

Synchronize with the Web Module

You also need to synchronize the Organization configuration with the web module every time it changes.

  1. Go to the Tasks tab and select the task that contains your Import Organization from LDAP task action.
  2. Click Add | Synchronize Web Module
  3. Select your Web Module and click OK.
  4. Use the up / down arrows to move the Synchronize Web Module action underneath the Import Organization from LDAP task action so that it happens after the organization import.

Every time you make changes to your Organization, you need to syncronize this information with the Web Module

Web Module - Dynamic Reports

Viewing Reports in the Web Module

Reports - Viewing Static Reports

Viewing a Report Document (Web Document – HTML, Loose files format)

5. Run Reports

Now that you have automated the process of importing log files, it is time to run some reports!

  1. Select one of the available Report Template and click the Generate Report option to launch the Generate Report Wizard.
  2. On the Storages page, select the Storage you want to report on.
  3. On the Format page, select the type of document you want to create the report as (HTML, Word, PDF, CVS, Text).
  4. On the Publish page, you can customize the name of the report, prefix the name with today’s date, copy the report to a location and compress it using zip (useful when emailing the ‘HTML, Loose Files’ Report Format to someone as an attachment).
  5. On the Documents page, you can choose to split your report into multiple documents based on anything in your log files, and/or aliases you have created such as Categories, Departments, Subnets, and so on. Leave this option unchecked to create a single report document.
  6. On the Filters page, click Add | Date Filter and select the dates you want to report on. You can also include/exclude any values from your log files using Add | Field Value Filter.
  7. The Email page enables you to email the report to someone as an attachment (Set your SMTP options in Tools | Options | Email).
  8. Once the report has been generated, it will appear in the Report Manager at the bottom of the screen. Double-click the file to open and view the report.

  1. Select an available Report Template and click the Publish Report option to launch the Publish Report to Web Module wizard.
  2. On the Storages page, select the Storage you want to report on.
  3. On the Template page, select the Report Template that you want to generate (the template selected in step 1 will be automatically selected)
  4. On the Publish page, select the Web Module you want to publish the report to. If you would like the option to drill down past the bounds of the report when viewing the report in the Web Module, check the Publish the selected storages to enable the ‘further analysis feature’ option.
  5. On the Split and Permit page, select No Separation to create just a single report, and select Everyone as the permission. Splitting reports by groups or managers and giving permission to certain people requires first importing your Organization information from LDAP on the Organization tab. See below.
  6. On the Filters page, click Add | Date Filter and select the dates you want to report on.
  7. The Notification page can be used to send a notification email to everyone with permission to the report(s). For now, leave the option unchecked.
  8. Click OK to publish the report to the Web Module.
  9. Once the report has been published, log into the Web Module and go to the Reports tab. Click the report to open and view it.

You can automate the generation or publishing of Reports using the Tasks tab.

  1. Go to the Tasks tab and select or create new task that runs on the desired schedule.
  2. Click the Add button to add a new Task Action.
    • To generate reports as a document (Web, Word, PDF, CSV or Test), select the Run a Comparison or Analysis Report or Run a Trend Report action, depending on the type of report template you want to automate.
    • To publish reports to the Web Module, select the Publish Report to Web Module action.
  3. Follow the wizard presented to configure the options for generating or publishing your report on the schedule. Make sure you add a Relative Date Filter on the Filters page to avoid reporting on your entire storage everytime the task runs.
  4. Use the up / down arrows to move the report action underneath other actions that need to occur first, such as the import of log files, or the importing your organization from LDAP (see below).

You may also like to see our article and video on Distributing web activity reports to managers using WebSpy Vantage.


For further information on getting started and configuring WebSpy Vantage Ultimate, please see our Getting Started Guide, the Vantage Ultimate Documentation, or visit our Support Center.

Getting Started Guide
Support Center