...
Source Port → 13003 (the port number can be any free port on your relay)
Source Data → sys=\"([^\"]+)\" sub=\"([^\"]+)\"
Target Tag → firewall.sophos.\\D1.\\D2
Select the Stop Processing and Sent without syslog tag checkboxes
Rule 2: Apply the firewall.sophos.general.system tag to all other events received on the same port
Source Port → 13003 (the port number can be any free port on your relay)
Target Tag → firewall.sophos.general.system
Select the Sent without syslog tag checkbox
...