Back to Blog
Sophos power and disk led blink utm 1105/18/2023 ![]() You can check the status of the service with: Udp("10.40.5.146" port(514) template(no_head)) įile("/var/log/syslogtemp" template(no_head)) Īfter creating and saving this file, restart syslog-ng for the changes to take effect. Next, we filter the Syslog messages so that only the httpproxy events are forwarded.įilter f_utm-http \n") template_escape(no) ![]() ![]() Now that we are set up to receive messages, we can create some filters.įirst, we limit the messages that contain a source address that matches the subsidiary's 10.55.0.0/16 subnet. Configure syslog-ngīy default, syslog-ng will process configuration files contained within the following folder.įirst, let's set syslog-ng to listen for syslog messages on UDP port 514 with the following: There are a number of very good articles explaining how to setup an Ubuntu server, so I'll jump straight into the syslog configuration. I am using the Ubuntu Server distro for this. Since we cannot filter syslog data at the source or destination, we need to introduce a 'filtering syslog proxy' where we can apply the required filtering before passing it on to the destination.Īll Sophos UTM syslog data will be sent to the syslog proxy, then the proxy will forward messages that meet the filtering criteria (the subsidiary's subnet) on to Fastvue Sophos Reporter instance that only needs data for the subsidiary.įor the syslog proxy, we can use a simple Linux box running syslog-ng. But if bandwidth is a consideration, you definitely want to drop the very large streams of firewall and reverse proxy logs. The live dashboards will also display all traffic as these cannot be filtered currently.įastvue Sophos Reporter will reject syslog data that is not of the 'web filter' format, so sending the extraneous logs is not a problem for disk space. Both Fastvue Sophos Reporter instances only require the Web Filtering (http) logs.Īlthough Fastvue Sophos Reporter can filter reports and alerts by subdivision or subsidiary (defined as IP subnets), it will still import and store all web filtering log data, consuming unnecessary bandwidth and disk space. One instance reports on the organization as a whole while the other only reports on a subdivision or subsidiary. There are also two Fastvue Sophos Reporter instances.Unfortunately, the SEIM does not provide the functionality to filter at the destination, requiring us to filter at the source. It does not need the Web Filtering (http), reverse proxy (WAF) or firewall (packet filter) logs. There is a corporate SIEM that only requires syslog information that pertains to the health of the UTM.This article explains how to configure syslog-ng to filter and forward Sophos UTM syslog data to multiple syslog servers with different data requirements. When you have several syslog servers for varying reasons, this results in more data being sent than is needed by the destination. If you specify multiple destination syslog servers, they will all receive the same syslog information. The Sophos SG series UTM has a number of log events that you can send to your remote syslog servers, however they are not selective, and there are no options for customized filtering.
0 Comments
Read More
Leave a Reply. |