Sophos Firewall Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Sophos Firewall (XG/XGS) is a next-generation firewall providing network security, web filtering, VPN, IPS, and application control. This technology pack processes Sophos Firewall syslog messages, providing normalization and enrichment of common events of interest.

Requirements

  • Sophos Firewall running SFOS 19.x or later

  • Graylog Server with valid Enterprise license, version 6.0.1 or later

  • Sophos Firewall configured to send logs via syslog to Graylog

Supported Versions

  • SFOS 19.x and later

Log Collection and Delivery

Sophos Firewall logs are delivered to Graylog via syslog. The firewall must be configured to send logs to a Graylog syslog input using key-value format.

Syslog Configuration

Configure the Sophos Firewall to send logs via syslog:

  1. Navigate to System > Syslog in the Sophos Firewall web interface

  2. Add a syslog server with the Graylog server IP and port

  3. Select the log types to forward (Firewall, VPN, Authentication, IPS, Web, etc.)

  4. Create a matching Syslog input in Graylog

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Sophos Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Sophos Device Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract Sophos Firewall logs into Graylog schema compatible fields

  • Graylog Information Model message categorization for network, authentication, HTTP, detection, DHCP, and audit events

  • GIM enforcement fields populated for all categorized events (service_name, application_name, event_outcome, event_action, source_reference, destination_reference; user_name on authentication events)

  • Normalized event_action values (allowed, blocked) derived from Sophos vendor_event_action via a lookup table; event_outcome (success, failure) derived from vendor_event_outcome via a separate lookup

  • Support for the 37 SFOS 19.5 log types including firewall rules, content filtering, VPN, IPS, anti-virus, WAF, and authentication

Log Format Example

An example of a Sophos Firewall syslog message in key/value format:

Sophos Firewall (key/value syslog)

device="SFW" date=2025-04-14 time=10:30:00 timezone="UTC" device_name="XG310" device_id=C010012345678 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=120 fw_rule_id=5 fw_rule_name="Allow LAN to WAN" fw_rule_section="user" policy_type=0 user_name="stefan" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=IPv4 (0x0800) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:0c:29:ab:cd:ef dst_mac=00:0c:29:12:34:56 src_ip=192.168.1.50 src_country_code=R1 dst_ip=8.8.8.8 dst_country_code=USA protocol="TCP" src_port=54321 dst_port=443 sent_pkts=15 recv_pkts=12 sent_bytes=2048 recv_bytes=4096 tran_src_ip=203.0.113.1 tran_src_port=54321 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connid="1234567890" vconnid="" hb_health="No Heartbeat" message="" app_resolved_by="Signature" app_is_cloud=0 app_category="general-internet" device="SFW" date=2025-04-14 time=10:31:00 timezone="UTC" device_name="XG310" device_id=C010012345678 log_id=062009617704 log_type="Event" log_component="FirewallAuthentication" log_subtype="Authentication" status="" priority=Information user_name="admin" src_ip=10.0.0.1 message="User admin of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.0.0.1" device="SFW" date=2025-04-14 time=10:32:00 timezone="UTC" device_name="XG310" device_id=C010012345678 log_id=054002616001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Warning src_ip=192.168.1.100 dst_ip=10.0.0.5 protocol="TCP" src_port=25 dst_port=1025 message="" reason="" filename="malware.exe" threatname="EICAR-Test-File" quarantine="Yes" quarantine_reason="Infected"

GIM Categorization

GIM categorization is provided for the following event types:

Event Type gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
Firewall Authentication (login) 100000 authentication authentication.logon logon
My Account Authentication (login) 100000 authentication authentication.logon logon
Appliance (admin lockout) 100000 authentication authentication.logon logon
Firewall Authentication (logout) 102500 authentication authentication.logoff logoff
Firewall Rule, ICMP, DoS, MAC/IP filter, heartbeat 120000 network network.network connection network connection
HTTP Content Filtering 120000|180200 network + http network.network connection + http.communication network connection + http communication
Web Application Firewall 180200 http http.communication http communication
GUI Management 229999 audit audit.default audit event
DHCP Server 299999 dhcp dhcp.default dhcp default event
IPS Anomaly 300000 detection detection.network_detection ids_detection
IPS Signatures 300000 detection detection.network_detection ids_detection
Anti-Virus 309999 detection detection.default detection_message
ATP (Advanced Threat Protection) 309999 detection detection.default detection_message