View web events

Note This feature will be unavailable if your license doesn't include Web Control.

If you use role-based administration, you must have the Web events right to view web events in Sophos Enterprise Console. For more information about role-based administration, see Managing roles and sub-estates.

You can view the following web events in the Web Event Viewer:

  • Malicious websites blocked by the Web Protection feature in the Anti-virus and HIPS policy.
  • Web control events, if you use the web control feature.

Web control events are displayed differently, depending on which web control policy is selected. Although the Web Event Viewer can be used in both policy modes, the content is different.

When the Inappropriate Website Control policy option is selected, you can view any “Block” and “Warn” actions. Visited HTTPS sites categorized as “Warn” are logged as “Proceed” events because Sophos Endpoint Security and Control responds differently to HTTPS (see the note in Inappropriate Website Control).

When Full Web Control is selected, events are displayed on the appliance.

  • For Sophos Web Appliance or Management Appliance, you can view browsing activity using the Reports and Search features. “Block,” “Warn,” and “Allow” actions are all shown. Visited HTTPS sites categorized as “Warn” are displayed as “Proceed” events because Sophos Endpoint Security and Control responds differently to HTTPS (see the note in Full Web Control).
  • For UTM, use the Logging & Reporting > Web Protection > Web Usage Report page. There you can see actions showing whether the website has been delivered to the client (passed), whether it has been blocked by an application control rule, or whether a user gained access to a blocked page using the bypass blocking feature (overridden), as well as other information.
Note Regardless of which policy you select, websites scanned and assessed by Sophos Endpoint Security and Control's live URL-filtering (Web protection) are displayed as web events in Sophos Enterprise Console.

To view web events:

  1. On the Events menu, click Web Events.
    The Web - Event Viewer dialog box appears.
  2. In the Search period box, click the drop-down arrow, and select the period for which you want to display the events.

    You can either select a fixed period, for example, Within 24 hours, or select Custom and specify your own time period by selecting the starting and ending dates and times.

  3. If you want to view events for a certain User or Computer, enter the name in the respective field.

    If you leave the fields empty, events for all users and computers will be displayed.

    You can use wildcards in these fields. Use ? for any single character and * for any string of characters.

  4. If you want to view events associated with a certain action, in the Action field, click the drop-down arrow and select the action.
  5. If you want to view events associated with a specific domain, enter it in the Domain field.
  6. If you want to view events that were triggered for a particular Reason, click the drop-down arrow and select the reason.
  7. Click Search to display a list of events.

You can export the list of web events to a file. For details, see Export the list of events to a file.