| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
The tags beginning with firewall.sophos identify log events generated by the Sophos Firewalls.
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud. This is done by setting up the Devo Relay as a remote syslog server in Sophos.
...
The full tag must have at least four levels. The first two are fixed as firewall.sophos. The third level identifies the log type and must be one of general, securemail, securenet, secureweb,or system. The fourth element is required and fixed depending upon the log type.
technology | brand | log type | subtype |
|---|---|---|---|
firewall | sophos |
| fixed and required |
Therefore, the valid tags include:
...
Rule 1: If event format matches the Source Data regex, extract event data and append the values to the tag
Source Port → 13003 (the port number can be any free port on your relay)
Source Data → sys=\"([^\"]+)\" sub=\"([^\"]+)\"
Target Tag → firewall.sophos.\\D1.\\D2
Select the Stop Processing and Sent without syslog tag checkboxes
Rule 2: Apply the firewall.sophos.general.system tag to all other events received on the same port
Source Port → 13003 (the port number can be any free port on your relay)
Target Tag → firewall.sophos.general.system
Select the Sent without
syslog tagsyslog tag checkbox
Related articles
...