How do I configure syslog remote logging for a Sophos firewall?

This article provides instruction on how to setup and enable syslog forwarding on a Sophos firewall

Configure Syslog Server

  1. Navigate to System Services > Log Settings and click Add to configure a syslog server.
  2. Enter a Name for the syslog server.
  3. Enter the IP Address of the syslog server.
  4. Enter a Port number that the device will use for communicating with the syslog server. (UDP / 514 is recommended)
  5. Select the Facility option and choose the value DAEMON.
  6. Select the Severity Level from the available options and choose the value Information.
  7. The log format to be selected is Device Standard Format.
    Sophos Firewall Syslog
  8. Click Save the configuration.

Once you have added the server, go to the System > System Services > Log Settings page and enable all those logs, which are to be sent to the syslog server in the section Log Settings.

Enable Traffic Logging

  1. Enable firewall traffic logs:
  • Go to Firewall > Edit Firewall Rule to view the status of logging and security policies.
  • Enable logging of firewall traffic from Log Traffic section. It ensures that traffic passing through the Firewall rule has been logged and can be viewed from Log Viewer.

    log_traffic_sophos
  1. Apply Security Policies
    Set security policies to Allow All or Default Policies or a custom policy so that logs are generated. If the security policies are set to None then logs may not generate.
  2. Enable Logging
    Go to Configure > System Services > Log Settings and select the checkbox Log Type (System) to enable logging for the Syslog server created in step 1. We recommend you enable logging for all security related modules, firewall rules and logon activities.

    logsettings sophos

You've now setup syslog remote logging on your firewall. You are now ready to send firewall data to the RocketCyber firewall log analyzer. See related article to configure RocketCyber's firewall log analyzer, for receiving the data.