The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Sophos XG/XGS is a network security solution designed to provide comprehensive protection for networks against various threats including malware, viruses, ransomware, phishing, and more. It combines multiple security features into a single platform, offering both traditional firewall capabilities and advanced security functionality.

Requirements

• The pack has been tested with SFOS (Sophos Firewall Software) version 19.5. If testing compatibility with older versions, please note that the older SFOS 17.x (released in Dec 2019) uses different field names for some log types. While the pack can still parse all the fields, certain dashboards and categorizations may not function correctly due to these variations in field names. Firewall XG and XGS are fully supported.

• A Graylog server with a valid enterprise license running Graylog version 5.0.3 or later is required.

Supported Logs/Event IDs

• All 37 SFOS log types for SFOS 19.5 are supported.

Stream Configuration

This technology pack includes one stream:

• "Illuminate:Sophos Messages"

Index Set Configuration

This technology pack includes one index set definition:

• "Sophos Device Log Messages"

Log Example

device"SFW" date=2023-04-20 time=13:26:37 timezone="IST" device_name="XGS5w" device_id=SFTest180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="none" application_risk=0 application_technology="MS" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.10.32.19 src_country_code= dst_ip=18.18.18.18 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby="Signature"

Sophos XG/XGS Firewall Configuration for Syslog

To enable Sophos Syslog output, Graylog requires a Syslog UDP input. Follow these steps to set up a Syslog output:

1. Navigate to System Services.

2. Select Log Settings on your Sophos GUI.

Choose the "Standard Syslog format" for optimal compatibility and functionality. Although the legacy "Device standard format" may work, it offers fewer or different fields. It is also important to note that selecting the legacy format may result in GIM errors in some cases.

What is Provided

• Rules to normalize and enrich SFOS (Sophos Firewall Software) log messages

• Dashboards

Sophos XG/XGS Firewall Message Processing

The Illuminate processing of Sophos XG/XGS Firewall log messages provides the following:

• Extraction of fields, normalization, and enrichment of SFOS log messages.

• The message field will be replaced by a shorter message to reduce license utilization. Activate the full_message option in the input if needed.

• GIM Categorization of the following messages: