In order for Cyfin to analyze the Sophos UTM firewall data, you must perform the following steps to produce the proper syslog data:
- Set up the Web filtering option.
- To set up the Web filtering functionality on the Web server, go to Web Protection – Web Filtering – Global and click the enable button.
- Syslog settings are configured in WebAdmin on the Logging & Reporting – Log Settings – Remote Syslog Server tab.
- On this tab, multiple target syslog servers may be added, and logs may be sent to any TCP or UDP port. (Most systems will default to UDP port 514.)
- If syslog messages cannot be delivered, they will be buffered and re-sent when possible.
- By default, up to 1000 logs will be buffered. This feature is most reliable when using TCP as it will detect when message deliveries fail more accurately.
- When using UDP, a failure will only be detected if the target IP is online and able to respond with an ICMP (Internet Control Message Protocol) service unavailable message.
- Once syslog targets have been configured, the logs to send via syslog must also be selected on the same screen. By default, none are selected. Select the Web Filter log file type, and click Apply.
Now you can proceed to configure Cyfin to receive these syslog data records.
Additional Resources:
- Wavecrest video on setup of Cyfin Sylog: Cyfin Syslog setup video