Sophos - How to enable webcontrol verbose logging

-----------------------------------------
Article ID:116769
Linked Article:How to enable Sophos Web Intelligence (Web Protection feature) and Web Control logging
-----------------------------------------

What To Do

Web Filtering logging

By default only blocked URLs are logged to the default SAV.txt log. 
The following information is logged in SAV.txt:
  • Each blocked URL
  • The referrer URL
  • The name of the user
  • The Sophos Labs reason code
It is however possible to enable more verbose logging which provides information on multiple components of SAV to do with Web Filtering. To enable these logs, follow these instructions:
  1. Open Regedit and navigate to the following location:
    32-bit:     HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\
    64-bit:     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\
  2. Add a new DWORD named LogLevel
  3. Set the value to 3
  4. Open the service manager (services.msc) and restart the Sophos Web Intelligence service to start logging.

Values

1 - Information
2 - Trace
3 - Debug

Logs written

C:\WINDOWS\Temp\swisdiag.log
C:\WINDOWS\Temp\swifdiag.log
%TEMP%\swifdiag.log

Web Control logging

Verbose logging for Web Control can be achieved with the following instructions:
  1. Open Regedit and navigate to the following location:
    32-bit:     HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\
    64-bit:     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\
  2. Add a new DWORD named LogLevel
  3. Set the value to 3
  4. Navigate to the following location:
  5. 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\Web Control\
    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\Web Control\
  6. Add a new DWORD named LogLevel
  7. Set the value to 3
  8. Open the service manager (services.msc) and restart the Sophos Web Control and Sophos Web Intelligence services to start logging.

Values

1 - Information
2 - Trace
3 - Debug

Logs written

C:\WINDOWS\Temp\swc_diag.log
C:\WINDOWS\Temp\swc_messaging.log
C:\WINDOWS\Temp\swc_rms_diag.log
C:\WINDOWS\Temp\swifdiag.log
C:\WINDOWS\Temp\swisdiag.log
%TEMP%\swc_messaging.log
%TEMP%\swifdiag.log

Disabling Logging

  1. Open Regedit and navigate to the following location:
    • 32-bit
      • HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\Web Control\
      • HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Web Intelligence\
    • 64-bit
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\Web Control\
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\
  2. Change the value in LogLevel to 0 at each location.

Note: Restarting the service(s) isn't required. If logging persists, a restart may be required. This can occur when the processes involved are not restarted with the service.
Posted by
Labels: