To get log files containing traffic data from Sophos XG Firewall, you need to use an external SysLog server. You can use almost any SysLog server for Windows (Kiwi, SysLog Watcher, etc.) or for Linux. The general requirements for the SysLog server are its uninterrupted 24/7 operation and ability to access log files at the ProxyInspector end.
In the Administration section, open Configure | System Services | Log Settings, click the Add button, and add the SysLog server. Change the Severity value to Information:
Enable the Firewall Rules, Web Filter, and Application Filter message types for the created SysLog server:
Then click the Apply button.
Enable the Scan HTTP and Decrypt & Scan HTTPS options for all firewall rules allowing HTTP/HTTPS traffic. Enable the Log Firewall Traffic option for all rules allowing traffic that must be monitored by ProxyInspector:
When using HTTPS Inspection, you need to install a respective security certificate to the Trusted Root Certification Authorities section on the users computers. You can download the certificate via the System | Certificates | Certificate Authorities section:
You need to specify the log files’ path and mask in ProxyInspector, so that it can access them. Typically, it’s a network path to a folder on the Syslog server. If you are using the Enterprise Edition, you need to do it in Settings | Domains and servers; and if you are using the Standard Edition, you need to do it in Settings | Base settings: