firewall.sophos
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
The tags beginning with firewall.sophos identify log events generated by the Sophos Firewalls.
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud. This is done by setting up the Devo Relay as a remote syslog server in Sophos.
Tag structure
The full tag must have at least four levels. The first two are fixed as firewall.sophos. The third level identifies the log type and the fourth element is required and fixed depending upon the log type.
Therefore, the valid tags include:
Product / Service | Tags | Data tables |
|---|---|---|
Sophos Firewall |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Devo Relay rules
You will need to define two relay rules that can correctly identify the event type and apply the corresponding tag. Rule 1 identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression. Rule 2 will be applied to any events that do not match the Rule 1 conditions and applies the firewall.sophos.general.system tag.
When the Rule 1 source conditions are met, the relay applies a tag that begins with firewall.sophos. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third and fourth levels of the tag.
Rule 1
If event format matches the Source data regex, extract event data and append the values to the tag
Source port →
13003(the port number can be any free port on your relay)Source data →
sys=\"([^\"]+)\" sub=\"([^\"]+)\"Target tag →
firewall.sophos.\\D1.\\D2Select the Stop processing and Sent without syslog tag checkboxes
Rule 2
Apply the firewall.sophos.general.system tag to all other events received on the same port
Source port →
13003(the port number can be any free port on your relay)Target tag →
firewall.sophos.general.systemSelect the Sent without syslog tag checkbox
Table structure
These are the fields displayed in these tables: