Logging: Enhanced, Standarized Log Viewer with support for logical operators
Please implement a reader friendly log-, and live log reader which will output any of the the text logs to a formatted output (similar to the actual paket filter live log). Should offer following features for viewing all types of logs:
- formatted output (as paketfilter live log)
- colored (drop, pass, block, info and so on)
- expression filters
- possibility to filter (do not show) logentries (similar to user portal / smtp log), where you can hide unwanted informations)
Michaël Van den Steen commented
Logging could be much better indeed. I know the basics about networking and for me personally the logs are just too hard to understand :).
Some simplified presentation would be nice.
Nothing new? Any forecast to the future?
Thx for answer
Logging on Sophos is the worse experience I've ever had with a firewall. Why do the summary logs not tell you anything about what was actually done to a packet and why do we need to check 5 different logs to work out if/where a packet was dropped?
Harrison Heck commented
Any update to this? The live logs are nearly useless without these enhancements.
If the logs can be display ala Paloalto way then Sophos is great to go else the logs are actually quite hard to decipher and that would put alot of admin off when they urgently need to filter out results or troubleshoot any issues.
I currently use Checkpoint Security Gateway R70.3 and the Checkpoint-Tracker is very flexible, is it possible to filter by any kind of column (source, destination, service, port, rule, ....) making very easy to analize all traffic information. On the Sophos UTM I have very difficult to analyze the logs.
need a live log with in which a website accessed by user is displayed
For example user1 connected sites - googele.com
Since the log viewers are different within the device, align them. So have one way logs are viewed. That way they are no longer different per product.
The mail manager has a great view, packet filter is ok the rest is unedited txt.
Main issue is, you get everything all the time and are unable to cut and slice through it to only find what you need without using third party tools.
Adrian Baxter commented
Absolutely. The IPS and HTTP logs are difficult to read as it scrolls horizontally and nothing is aligned. You currently have to really study the log and it is easy to miss things; you should be able to see things at a glance.
Juergen Fritz commented
Need more filter-options - like the Checkpoint-Tracker
yes please implement cokumn view and color marking possibility, would also be great to pipe multiple logs into one window e.g. firewall and proxy in to one log window
M too agree with you, Its very nice at the time to trouble shoot, other UTMs already has this type of feature, so i request to Astaro too... great..
Elmar Haag commented
A "column view" is urgently needed, especially for logs with very long lines (like in the WAF or the HTTP Proxy).
Sascha Paris commented
There is already a more or less similar (extended) feature request for better readable logs here
Because i cant Edit my idea i had to write it as a comment:
The white- or blacklistentry that matches schould be highlighted in the live log. This will take much lower time to find out which rule is the one, that makes the match.
I agree, opening the logs in notepad isn't easy to read and find data. Maybe using a database backend to store log files with a interactive front end will make it easy to filter, read, sort and manipulate large volumes of log files.
Sascha Paris commented
...and it's difficult to follow some live logs as IPS, HTTP or SMTP, because you have to scroll horizontally between left and right corner to find requested informations. Coloring loglines and possibility of filtering out unnecessary informations would ease work with (live) logs.
Pieter van Stokkom commented
hear hear! Browsing the logs, particularly in a bigger environment, is a pain. Time-outs occur frequently, getting a quick overview of the data you want is hardly possible when you don't have an outside logging server.