Sophos Reporter Release Notes
Subscribe
Sophos Reporter 3.0.1.68 (2023-03-01)
  • Resolved issue preventing directory / LDAP import for new installations.
Sophos Reporter 3.0.1.67 (2023-02-23)
  • Fastvue Reporter has always resolved source hosts for the common internal address ranges — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, [fe80::]/16, or [fc00::]/7. You can now add custom IP ranges by editing the ResolveSourceHostsIPRanges property in Fastvue Reporter’s Settings.xml file while the Fastvue Reporter service is stopped. Add a comma separated list of IP ranges that you would like to resolve in CIDR notation.

    For example:
    <Item Name="ResolveSourceHostsIPRanges" Type="System.String, mscorlib" Value="1.0.0.0/8,2.3.0.0/16,4.5.6.0/24" />

    Note, Source Hosts are only resolved when a username or source host has not been logged by the firewall.
    Fixed the alignment of chart bars to table rows in dashboard widgets when the table row expands to multiple lines.
  • Added support for FTP Antivirus log events.
  • Fixed the alignment of chart bars to table rows in dashboard widgets when the table row expands to  multiple lines.
Sophos Reporter 3.0.1.66 (2023-02-10)
  • YouTube shorts are now officially supported. Video IDs are now correctly extracted from URLs and resolved using the YouTube API when users watch YouTube Shorts.
  • Default syslog encoding is now set to UTF-8 fixing import issues with non-english character sets. The encoding can be changed by editing the value of the SyslogGlobalEncodingType setting in Fastvue Reporter’s Settings.xml file. Possible values include UTF-8, ASCII, UTF-16 and UTF-32.
  • Fixed an issue with ‘whole word’ keyword matching when the phrase contains non-english characters such as the é in appétit.
  • Fixed display issues with the ‘Print’ style when printing reports in the browser.
  • Fixed display issues with the buttons above some Report widgets preventing them wrapping to multiple lines.
Sophos Reporter 3.0.1.65 (2022-12-14)
  • Activity Reports filtered by Keyword Groups now contain relevant columns in the report output. For example, filtering by Search Terms ‘In Keyword Group’ Self-harm, returns a column showing the matching Search Terms.
  • Improved search term extraction for a range of websites.
  • Fixed an issue that can prevent reports from generating if an extracted Search Term is a DateTime value.
  • The “User Warned And Proceeded” alert now also matches the rule logged as “Transaction was allowed after the user proceeded through a warning”.
  • Saving an invalid YouTube API key is now prevented.
  • Fixed an issue sorting alerts as per their order in the underlying Alerts.xml configuration file. Factory defined alerts are still grouped together at the bottom of the alerts list with custom alerts above.
Sophos Reporter 3.0.1.64 (2022-10-13)
  • Most report widgets now expand long strings to multiple lines instead of being truncated with an ellipsis.
  • Improved the performance of syslog import when you have many syslog sources.
  • Fixed an issue introduced the previous build where directory / LDAP import causes a memory issue when importing result sets containing more than 500 entities.
  • Fixed issues with this keyword highlighting positioning in certain keyword matching situations. 
  • Added checks for invalid characters in filenames and file extensions.
  • Added more instruments to the hidden page at /settings/DiagStats.aspx for the main four Elasticsearch request queues (Bulk, Management, Search, Warmer), named “dbEsqIndex”, “dbEsqMgmt”, “dbEsqSearch”, and “dbEsqWarmer”. Cache information has been added to DiagStats, along with a button to manually clear caches. 
  • As disk performance can greatly impact Fastvue Reporter’s performance, a basic disk benchmark tool has been added to the hidden diagnostic page at /settings/DiagStats.aspx, showing sequential/random read/write performance, as well as random seek latency. Additional instruments and cache information have also been added.
  • User statistics in Settings | Licensing | User Statistics no longer include users associated with Failed VPN logins.
Sophos Reporter 3.0.1.63 (2022-09-13)
  • You can now adjust the username display format in Settings | Directory / LDAP | User Settings.
    By default, for new installs, authenticated users are displayed as “displayName (samAccountName)”. E.g. “Jane Doe (j.doe)”, to assist in identifying different users with the same name. More advanced customizations using other AD attributes can be made by carefully editing the UserAttrDisplayName element in Fastvue Reporter’s Settings.xml file when the Fastvue Reporter service is stopped. Please reach out to support@fastvue.co for assistance.
  • Search term extraction logic and has been updated to better support a range of websites, including TikTok, Pinterest, Yandex, Tumblr, Swiggle & Internet Archive.
  • Fixed issues with the keyword highlighting feature that may occur when multiple keywords or excludes exist in a phrase.
  • Added support for the AntiVirus HTTPS log component. This means AV threats over HTTPS captured by the Sophos XG AV engine are now imported. Previously this was only working if the log component was HTTP.
  • The data retention size threshold now ignores the current day to prevent the index from being destroyed and recreated repeatedly, but this may mean that the size threshold may be ignored if the current day exceeds the limit. Also added a daily clean up task to remove temporary files more regularly.
  • LDAP directory import implementations have been updated to better handle timeouts and ldap exceptions/errors.
  • Added a user interface to manage Elasticsearch indexes in Settings | Diagnostic | Database | Index Management. This includes options to open, close, reindex, merge segments, and delete indexes.
  • Added a user interface to change Elasticsearch’s Index Store Mode from mmapfs (default) to niofs. This is available in Settings | Diagnostic | Database | Memory Settings. When using mmapfs you’ll see increased memory usage but faster report generation. With niofs you’ll see reduced memory usage but slower report generation. The only time you should consider changing to niofs is when your Fastvue server is constrained on memory, but you have very fast SSD harddrives, and you’re willing to wait longer for reports to generate. For more information about these Elasticsearch Index Store Modes, see https://www.elastic.co/guide/en/elasticsearch/reference/5.6/index-modules-store.html
  • If reports on large date ranges are failing with a timeout error, you can now configure this timeout by carefully editing the DatabaseElasticRequestTimeout element in Fastvue Reporter’s Settings.xml file when the Fastvue Reporter service is stopped. The value is specified in seconds, and defaults to 300 (5 minutes). If you’re experiencing timeout errors when running reports, try increasing this value to 1200 (20 minutes). This changes how long Fastvue Reporter is willing to wait for a response from the Elasticsearch database when running queries.
Sophos Reporter 3.0.1.62 (2022-06-14)
  • This is the first public release introducing Fastvue Reporter’s new central Keywords feature. This feature centralizes all safeguarding keywords in one place (Self Harm, Extremism, Drugs, and Adult and Profanity), giving you greater control over keyword matches against searches and YouTube video titles in Reports and Alerts.

    Keywords are automatically cloud-updated with new words and phrases, and the introduction of whole word matching and comprehensive excluding functionality drastically reduces false positives.
  • Added an ‘Edit Keyword’ action to the Keyword Matched Searches and Keyword Matched Videos widgets in Overview Reports, making it easy to exclude words and phrases from the matching keyword to reduce future false positives.
  • Very long phrases now wrap to multiple lines in Reports.
  • Fixed issue where the keyword highlighting may be in the incorrect position.
  • The time threshold for ‘No syslog data received’ alerts is now configurable via the settings.xml file in Fastvue Reporter’s data location by adding this line (make sure the Fastvue Reporter service is not running when editing this file):

    <Item Name="SyslogInactivityThreshold" Type="System.TimeSpan, mscorlib" Value="600000000" />

    The “Value” needs to be represented in .NET ticks. Here is a handy online converter.
  • Windows installers now support installing in silent mode. Instructions for using this can be found at https://kb.fastvue.co/sophos/s/article/Silent-non-interactive-installation
Sophos Reporter 3.0.1.61 (2022-04-29)
  • Fixed issue with the new keyword feature introduced in 3.0.1 59 that causes the software to freeze and lockup under certain keyword matching conditions.
Sophos Reporter 3.0.1.60 (2022-04-19)
  • The Unassigned Productivity list (Settings | Productivity) now has a limit of 200 values.
  • Added support for Source and Destination Country, Source and Destination Zones, Zone Type as well as Source and Destination Interfaces. These field can be used in report and alert filters, and added to alert evidence tables. Note, these fields are logged by Sophos XG/XGS, not the SG/UTM models.
  • IT Network and Security reports now include widgets for Zones, Interfaces and Countries.
Sophos Reporter 3.0.1.59 (2022-03-17)
  • Added Keywords Feature centralizing all safeguarding keywords in one place (Settings | Keywords). The keywords lists apply to both reports and alerts, are automatically updated, and now include ‘whole word matching’. Each keyword has its own list of excluded keywords to reduce false positives.
  • Renamed the ‘Suspicious Searches’ widget in Overview Reports to ‘Keyword matched searches’
  • Added ‘Keyword Matched Videos’ widget that matches YouTube video titles against the new Keyword lists.
  • Added Keyword highlighting to keyword matching widgets in Overview Reports.
  • Alerts can now include columns in the Alert Evidence table for:
    – Search Terms with Keyword Highlighting
    – Search Terms Keyword Group
    – Search Terms Matched Keyword
    – Media Title with Keyword Highlighting
    – Media Title Keyword Group
    – Media Title Keyword Highlighting
  • Fastvue’s default alerts now have a ‘Reset to factory defaults’ option. This lets you reset the Search Term alerts to the new defaults which reference the new Keyword groups instead of having all keywords entered directly in the Alert’s criteria.
  • Fixed issue where alert emails could be sent with an empty alert evidence table.
  • Modified the default/suggested data retention size policy for new installs to better account for the disk’s available space.
  • Critical disk space thresholds now default to to 2GB instead of 5%.
  • Fixed an issue that may prevent the data retention policy from running for up to one hour, before it starts working again.