In order for live syslog data to be imported, ensure:
- Web Filtering feature is enabled:
The Web Filtering feature is enabled and properly configured in Sophos UTM (Web Protection | Web Filtering), or Sophos XG (Firewall | Edit LAN -> WAN Firewall Rule(s) | Ensure a Web Policy is applied)
- Web Filter is being used:
Clients on your network are actively browsing the web and being filtered by the Web Filtering Policies. Check the Live Log in Sophos UTM (Web Protection | Web Filtering | Open Live Log) or Sophos XG (Open the Log Viewer and select Web Filter).
- Syslog Server is the Fastvue IP:
Log into the Fastvue Reporter server, open a command prompt (cmd) and enter ipconfig to double-check the IP of the server. Ensure this is the IP you have specified as the syslog server in Sophos UTM (Logging and Reporting | Log Settings | Remote Syslog Server) or Sophos XG (System Services | Log Settings).
- Syslog Protocol is UDP:
Ensure you have used a UDP port as the syslog port in Sophos UTM (Logging and Reporting | Log Settings | Remote Syslog Server). No need to check this in Sophos XG as it only supports UDP at this stage.
- Web Filtering syslog messages are enabled:
You have checked 'Web Filtering' in Sophos UTM (Logging and Reporting | Log Settings | Remote Syslog Server | Remote syslog log setting | Web Filtering), or the syslog server's checkbox for Content Filtering | Web Filter in Sophos XG (System Services | Log Settings | Content Filtering | Web Filter)
- Fastvue Source is the correct UTM interface:
You have added the Sophos firewall as a Source in Fastvue Sophos Reporter (Settings | Sources) using the correct name or IP address. If using an IP address, make sure it is the IP address of the Sophos interface that the Fastvue machine is connected to. For example, specify the Sophos' internal interface if the Fastvue machine is inside the internal network.
Tip: Go to Settings | Sources and click Add Source. Wait a few seconds and the dropdown list will populate with any device currently sending syslog messages on port 514 (or on the ports specified by your other sources). Select the Sophos device from the list and click Add Source.
- Syslog ports at both ends are the same:
The syslog ports specified in both the Sophos firewall's Syslog Settings, and in the Fastvue Sophos Reporter source are the same (default is 514).
- No firewall issues
There is no firewall blocking port 514 on the Sophos Reporter machine (such as Windows Firewall), or in between the Sophos Reporter machine and the Sophos UTM. See our article on Opening the Syslog Port in Windows Firewall for more information.
- No routing issues between Sophos UTM and Fastvue:
The Fastvue Server and the Sophos UTM source are in the same subnet, or there is a router between the subnets configured to allow syslog traffic through. If there is a router between the two servers, careful attention needs to be paid to how that router handles the traffic, whether there's a NAT involved, whether that router is the default gateway for both machines etc.
If the two machines are separated over a WAN link, configure a site-to-site VPN so the UDP syslog traffic can be transmitted reliably (and securely).
- No Port Conflict:
There is no port conflict on port 514 (or your specified port) with another application or service on the Fastvue Reporter machine (see below).
- No Logging Exceptions:
Ensure you do not have any exceptions in Sophos UTM (Web Protection | Filtering Options | Exceptions) that skips checks for Logging | Accessed Pages and Blocked Pages.
- Web Policies have Logging and Reporting enabled
In Sophos XG, ensure Enable Logging and Reporting is checked for your active Web Policies.
Troubleshooting Port Conflicts
To find out whether there is a port conflict on the Fastvue Reporter machine for port 514, open a command prompt and enter:
netstat -ano | find "514"
This will list all the processes on the machine using port 514 (it may also include other processes that have a substring of 514). Note the Process ID, and then open Task Manager and go to the Services tab. You should be able to identify the other process by looking for the matching Process ID (PID).
If there is another process listening on Port 514, the easiest solution is to change the port being used both in the syslog settings on your Sophos UTM ( Logging and Reporting | Log Settings | Remote Syslog Server), and in the source in Fastvue Reporter (Settings | Sources). As an example, try port 49514 (UDP).
If all of the above checks out, you can enable full diagnostic logging to log all syslog messages received (regardless of whether they are processed by Fastvue Reporter) to the 'Dashboard.log' file (location shown in Settings | Diagnostic).
- Go to Settings | Diagnostic and increase the logging level to Full.
- Let the software run for five minutes, and then zip and upload the Dashboard.log file to http://www.fastvue.co/upload. The log should contain some diagnostic information to help us troubleshoot this for you.
- As this logging level will grow the Dashboard.log significantly over time, set the logging level back to Normal.