In order for live syslog data to be imported, ensure:
- Sophos Web Appliance is active:
Clients on your network are actively browsing the web and being filtered by Sophos Web Appliance.
- Syslog Server is the Fastvue IP:
You have specified the Fastvue Reporter server as a syslog server in Configuration | System | Alerts and Monitoring | Syslog. (Double check the IP address used).
- Syslog protocol is UDP and port is 514 or unused:
In your Sophos Web Appliance's syslog settings, ensure you're using the syslog port 514, or another unused port, and that the protocol is set to UDP.
- Fastvue Source Settings are correct:
You have added the Sophos Web Appliance as a Source in Fastvue Reporter (Settings | Sources) using the correct name or IP address and port (e.g 514). Ensure the IP address is the interface that the Fastvue Server is actually connected to (e.g. If the Fastvue server is in your internal network, specify the Web Filter's internal interface).
- No routing issues between Sophos Web Appliance and Fastvue:
The Fastvue Server and the Sophos Web Appliance source are in the same subnet, or there is a router between the subnets configured to allow syslog traffic through. If there is a router between the two servers, careful attention needs to be paid to how that router handles the traffic, whether there's a NAT involved, whether that router is the default gateway for both machines etc.
- No firewall issues:
There is nothing blocking port 514 on the Fastvue Reporter machine (such as Windows Firewall), or in between the Fastvue Reporter machine and the Sophos Web Appliance. See our article on Opening the Syslog Port in Windows Firewall for more information.
- No Port Conflict:
There is no port conflict on port 514 (or your specified port) with another application or service on the Fastvue Reporter machine (see below).
Troubleshooting Port Conflicts
To find out whether there is a port conflict on the Fastvue Reporter machine for port 514, open a command prompt and enter:
netstat -ano | find "514"This will list all the processes on the machine using port 514 (it may also include other processes that have a substring of 514). Note the Process ID, and then open Task Manager and go to the Services tab. You should be able to identify the other process by looking for the matching Process ID (PID).
If there is another process listening on Port 514, the easiest solution is to change the port being used both in the syslog settings on your Sophos Web Appliance (Configuration | System | Alerts and Monitoring | Syslog), and in the source in Fastvue Reporter (Settings | Sources). As an example, try port 49514.
If all of the above checks out, you can enable full diagnostic logging to log all syslog messages received (regardless of whether they are processed by Fastvue Reporter) to the 'Dashboard.log' file (location shown in Settings | Diagnostic).
- Go to Settings | Diagnostic and increase the logging level to Full.
- Let the software run for five minutes, and then zip and upload the Dashboard.log file to http://www.fastvue.co/upload. The log should contain some diagnostic information to help us troubleshoot this for you.
- As this logging level will grow the Dashboard.log significantly over time, set the logging level back to Normal.