Extract HASH & Logs from Sophos UTM

By 19 September, 2017 September 21st, 2017 HASH, IT Security, Log, Sophos UTM

Continuing with our blog entries on Sophos UTM logs, in this knowledge base article we will address the issue of extracting web logs as if it were for a company audit or a forensic investigation request.

The necessary tools that we will use are:

Putty
WinSCP

As we have seen on previous occasions, these two utilities are essential for many tasks related to appliances.

1. Configure proper SSH permission access to the machine

2. Login via SSH with Putty and user: loginuser

3. Elevate to root privileges

4. Go to the Logs folder

The logs are organized by year, month and within the month we have a file compressed for each

5. We make the hash and dump it in a file in /home/login/

6. We compress what we want to get, in this case we will go for a whole month. No need to compress since the logs are already compressed

…we extract the hash with the following command
find lba-http-log-01.tar -exec md5sum {} \; > nombre_de_fichero.txt

7. We downloaded it with WinSCP (and we change the folder with pushd)

then change the owner of the files to be able to download them with loginuser

We connect with WinSCP and transfer the files with SFTP to our local drive/folder

8. It is convenient to delete the UTM files once downloaded

To keep up to date on IT Security issues, tips & tricks, as well as essential breaking news, join us on Facebook & follow us on Twitter.

Copyright 2017, TresW