Ask the Community
Groups
How do I configure syslog remote logging for a Sophos firewall? - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-provides-instruction-on-how-to-set-up-and-enable-syslog-forwarding-on-a-sophos-firewall">This article provides instruction on how to set up and enable Syslog forwarding on a Sophos firewall</h2> <h4 data-id="configure-syslog-server">Configure Syslog Server</h4> <ol><li>Navigate to <strong>System Services</strong> > <strong>Log Settings</strong> and click <strong>Add</strong> to <strong>configure</strong> a <strong>Syslog server</strong>.</li> <li>Enter a Name for the <strong>Syslog server</strong>.</li> <li>Enter the <strong>IP Address</strong> of the Syslog server.</li> <li>Enter a <strong>Port</strong> number that the device will use for communicating with the Syslog server. (UDP / 514 is recommended)</li> <li>Select the <strong>Facility</strong> option and choose the value <strong>DAEMON</strong>.</li> <li>Select the <strong>Severity Level </strong>from the available options and choose the value <strong>Information</strong>.</li> <li>The log format to be selected is <strong>Device Standard Format</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/9I2KH3U0IPCW/screen-shot-2020-07-02-at-11-20-02-pm.png" alt="Screen_Shot_2020-07-02_at_11.20.02_PM.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click <strong>Save</strong> the configuration.</li> </ol><p>Once you have added the server, go to the <strong>System > System Services > Log Settings</strong> page and enable all those logs, which are to be sent to the Syslog server in the section <strong>Log Settings</strong>.</p> <h4 data-id="enable-traffic-logging">Enable Traffic Logging</h4> <ol><li> <strong>Enable firewall traffic logs</strong>:</li> </ol><ul><li>Go to <strong>Firewall > Edit Firewall Rule</strong> to view the status of logging and security policies.</li> <li>Enable logging of firewall traffic from the Log Traffic section. It ensures that traffic passing through the Firewall rule has been logged and can be viewed from Log Viewer.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/WH20MLT5RH64/log-traffic-sophos.png" alt="log_traffic_sophos.png" class="embedImage-img importedEmbed-img"></img></li> </ul><ol><li> <strong>Apply Security Policies</strong><br>Set security policies to <strong>Allow All</strong> or <strong>Default Policies</strong> or a custom policy so that logs are generated. If the security policies are set to <strong>None</strong> then logs may not generate.</li> <li> <strong>Enable Logging</strong><br>Go to <strong>Configure > System Services > Log Settings</strong> and select the checkbox <strong>Log Type (System)</strong> to enable logging for the Syslog server created in step 1. We recommend you enable logging for all security-related modules, firewall rules, and logon activities.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/FVS0S556DQS1/logsettings-sophos.png" alt="logsettings_sophos.png" class="embedImage-img importedEmbed-img"></img></li> </ol><div data-hs-callout-type="tip"> <p>You've now set up Syslog remote logging on your firewall. You are now ready to send firewall data to the RocketCyber firewall log analyzer. See the related article to <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Frocketcyber%2Fhc%2Fen-us%2Farticles%2F360018050918" rel="undefined nofollow">configure RocketCyber's firewall log analyzer</a>, for receiving the data.</p> </div> </article> </main>