Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security Graylog Security. Contact sales to learn more about obtaining Illuminate.

Sophos XG/XGS is a network security solution designed to provide comprehensive protection for networks against various threats including malware, viruses, ransomware, phishing, and more. It combines multiple security features into a single platform, offering both traditional firewall capabilities and advanced security functionality.


  • The pack has been tested with SFOS (Sophos Firewall Software) version 19.5. If testing compatibility with older versions, please note that the older SFOS 17.x (released in Dec 2019) uses different field names for some log types. While the pack can still parse all the fields, certain dashboards and categorizations may not function correctly due to these variations in field names. Firewall XG and XGS are fully supported.

  • A Graylog server with a valid enterprise license running Graylog version 5.0.3 or later is required.

Supported Logs/Event IDs

  • All 37 SFOS log types for SFOS 19.5 are supported.

Stream Configuration

This technology pack includes one stream:

  • "Illuminate:Sophos Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • "Sophos Device Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Example

device"SFW" date=2023-04-20 time=13:26:37 timezone="IST" device_name="XGS5w" device_id=SFTest180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="none" application_risk=0 application_technology="MS" application_category="" in_interface="" out_interface="" src_mac= src_ip= src_country_code= dst_ip= dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby="Signature"

Sophos XG/XGS Firewall Configuration for Syslog

To enable Sophos Syslog output, Graylog requires a Syslog UDP input. Follow these steps to set up a Syslog output:

  1. Navigate to System Services.

  2. Select Log Settings on your Sophos GUI.

Choose the "Standard Syslog format" for optimal compatibility and functionality. Although the legacy "Device standard format" may work, it offers fewer or different fields. It is also important to note that selecting the legacy format may result in GIM errors in some cases.

What is Provided

  • Rules to normalize and enrich SFOS (Sophos Firewall Software) log messages

  • Dashboards

Sophos XG/XGS Firewall Message Processing

The Illuminate processing of Sophos XG/XGS Firewall log messages provides the following:

  • Extraction of fields, normalization, and enrichment of SFOS log messages.

  • GIM Categorization of the following messages:

Vendor Event Component GIM Event Type Code GIM Event Type
DHCP Server 299999 DHCP Default Event
Firewall Rule 120000
Network Connection
Invalid Traffic 120000 Network Connection
Heartbeat 120000 Network Connection
ICMP Redirection 120000 Network Connection
ICMP ERROR MESSAGE 120000 Network Connection
Fragmented Traffic 120000 Network Connection
Invalid Fragmented Traffic 120000 Network Connection
Local ACL 120000 Network Connection
DoS Attack 120000 Network Connection
Source Routed 120000 Network Connection
MAC Filter 120000 Network Connection
IPMAC Filter 120000 Network Connection
IP Spoof 120000 Network Connection
Virtual Host 120000 Network Connection
GUI 229999 Audit Event
My Account Authentication 100000 Logon
Firewall Authentication 100000 Logon
Anomaly 179999 Alert Message
Signatures 179999 Alert Message
Web Application Firewall 180200 HTTP Communication


Vendor Event Subtype GIM Event Type Code GIM Event Type
ATP 179999 Alert Message
Virus 179999 Alert Message
Content Filtering 120000 Network Connection