Support Center

How to manually import specific Sophos UTM historical log files

Last Updated: Aug 30, 2018 09:26PM PDT
You can manually add a 'filesystem' source to import a set of files directly as a one-time import in Fastvue Sophos Reporter. This can be useful if the Fastvue Reporter server was down or not accessible for a period of time, or if there are specific log files you need to report on that have been purged by the data retention policy.

Note, that this method will add another 'Source', and you may need an additional license key to import data from an additional source. Contact Fastvue Support to arrange this.

Step 1 - Check Data Retention Policy

First make sure your data retention policy in Settings | Data Storage | Settings is set appropriately to import the historical logs, without them being instantly purged by either the time or size policy.

Step 2 - Download Historical Logs

Download the required log files from the Sophos UTM to a folder on the Fastvue Machine. Note that only Sophos SG supports this feature. It is not currently possible to download historical logs from Sophos XG.

To do this:
  1. Log into your Sophos UTM SG, and go to Logging and Reporting | View Log Files | Archived Log Files
  2. Select Web Filtering from the 'Subsystem' drop-down list and the month and year for the required log files.
  3. Check the checkboxes next to the desired log files and select Download as archive file  from the drop-down list at the bottom of the screen. This will download a zip file containing the log files. 
  4. Place the zip file in a folder on the Fastvue Reporter machine, then extract the zip file to reveal the original log files.

Step 3 - Manually add a File System Source 

There is no option via the User Interface to add a 'filesystem' source (a Source that only imports logs from a filesystem folder), so this needs to be done via the API by entering a specific URL into your browser.

Go to the Reporter’s dashboard and in the address bar where you see the URL (e.g. http://reporterserver/Dashboard.aspx) replace /Dashboard.aspx with the following;

/_/api?f=Settings.Sources.AddRoot&type=Filesystem&options={Path:"path\\to\\logs"}

Make sure to replace path\\to\\logs with the path to the folder containing the logs (this is case sensitive), and also make sure to replace all backslash (\) characters in the folder path with two backslashes (\\). For example:
http://fastvueserver/_/api?f=Settings.Sources.AddRoot&type=Filesystem&options={Path:"C:\\Logs\\MissingAugustLogs"}

Press enter once this is done, and you should see something like the following returned;

{"Status": 0, "Data": "5a3d29a52e814de1a876ef433ffd04be"}

If the “Data” value is a string of random numbers and letters, then the new source was added successfully. Go back to the Reporter interface and go to Settings | Sources and you should see a new filesystem source start importing the logs.

Sophos Reporter FileSystem Source


Once the logs have finished importing, go to Settings | Data Storage to make sure you now have data for the required dates. You can then delete the filesystem source in Settings | Sources and the imported data will be retained.

You may also be interested in using Sophos UTM's Remote Log Archive feature to automatically send the archived logs to the Fastvue Reporter server for the purpose of automatically filling 'gaps' in the syslog data that may occur from time to time. For more information see Never miss reporting data with Sophos UTM's Remote Log Archive.

Contact Us

  • Post a Public Question
  • Email Us
  • Chat with us

    Call Us @ 888.885.6711
support@fastvue.co
http://assets0.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete