Document toolboxDocument toolbox

firewall.sophos.xgfirewall

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jul 30, 2024
2 min read
[ 1 Tag structure ] [ 2 Set up the Devo Relay rule ] [ 3 Forward the events from XG Firewall to the Devo relay  ] [ 4 Table structure ]

The tags beginning with firewall.sophos.xgfirewall identify log events generated by the Sophos XG Firewalls.

The events should be forwarded to a Devo Relay within the same secure network as the XG Firewall to be identified, tagged, and forwarded securely to the Devo Cloud. This is done by setting up the Devo Relay as a remote syslog server in Sophos.

For information about sending events to Devo from Sophos UTM, see the firewall.sophos article.

Tag structure

The full tag must have at least four levels. The first three are fixed as firewall.sophos.xgfirewall. The fourth level identifies the log type and must be one of contentfiltering, event, firewall, systemhealth, or wirelessprotection.

Technology

Brand

Product

Log type

Technology

Brand

Product

Log type

firewall

sophos

xgfirewall

  • contentfiltering

  • event

  • firewall

  • systemhealth

  • wirelessprotection

Therefore, the valid tags include:

  • firewall.sophos.xgfirewall.contentfiltering

  • firewall.sophos.xgfirewall.event

  • firewall.sophos.xgfirewall.firewall

  • firewall.sophos.xgfirewall.systemhealth

  • firewall.sophos.xgfirewall.wirelessprotection

The associated events will be saved in Devo in tables of the same names. In addition, a union table called firewall.sophos.xgfirewall will contain all of the events in the other tables.

For more information, read more about Devo tags.

Set up the Devo Relay rule

You will need to set up a type 4 relay rule that can identify the event's type by the source port that it was received on and by event content captured using a regular expression. The content captured is then used to build the correct Devo tag.

In Devo, go to Administration → Relays and select the relay to which you want to forward the events.

The relay must reside within the same secure network as your XG Firewall.

Click Add Rule. Enter the following details to set up the rule:

  • Source port → 13010    (the port number can be any free port on your relay)

  • Source data → log_type=\"([\w]+)\s*([\w]*)\"

  • Target tag → firewall.sophos.xgfirewall.\\D1.\\D2

  • Select the Stop processing and Sent without syslog tag checkboxes

Click Add Rule.

Forward the events from XG Firewall to the Devo relay 

With the relay ready to receive and process the XG Firewall events, you can start to forward them. To do so, set up your Devo Relay as a syslog server in XG Firewall. 

Check out this Sophos Knowledge base article for instructions. Just be sure to:

  • Specify the correct IP address of the Devo relay and the same port on which you added the relay rule.

  • Specify which logs you want to output to syslog in System Services → Log Settings.

Table structure

These are the fields displayed in these tables:

firewall.sophos.xgfirewall.contentfiltering

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

vmachine

 

time

str

 

 

 

timezone

str

 

 

 

device_name

str

 

 

 

device_id

str

 

 

 

log_id

str

 

 

 

log_type

str

 

 

 

log_component

str

 

 

 

log_subtype

str

 

 

 

status

str

 

 

 

message

str

 

 

 

priority

str

 

 

 

nat_rule_name

str

 

 

 

fw_rule_id

int8

 

 

 

fw_rule_type

str

 

 

 

fw_rule_name

str

 

 

 

fw_rule_section

str

 

 

 

gw_id_request

int4

 

 

 

gw_name_request

str

 

 

 

user_name

str

 

 

 

user_gp

str

 

 

 

application_filter_policy

int8

 

 

 

iap

int8

 

 

 

category

str

 

 

 

category_type

str

 

 

 

url

str

 

 

 

contenttype

str

 

 

 

override_token

str

 

 

 

httpresponsecode

str

 

 

 

src_ip

ip4

 

 

 

src_country

str

 

 

 

src_country_code

str

 

 

 

src_mac

str

 

 

 

dst_ip

ip4

 

 

 

dst_country

str

 

 

 

dst_country_code

str

 

 

 

protocol

str

 

 

 

src_port

int8

 

 

 

dst_port

int8

 

 

 

dst_mac

str

 

 

 

domain

str

 

 

 

exceptions

str

 

 

 

activityname

str

 

 

 

reason

str

 

 

 

used_quota

str

 

 

 

http_status

str

 

 

 

http_category

str

 

 

 

http_category_type

str

 

 

 

timestamp

str

 

 

 

device_model

str

 

 

 

device_serial_id

str

 

 

 

log_version

int4

 

 

 

severity

str

 

 

 

user_group

str

 

 

 

web_policy_id

int8

 

 

 

con_id

int8

 

 

 

application_name

str

isnull(application_name_aux) or isempty(application_name_aux) ? app_name : application_name_aux

application_name_aux

app_name

 

application_risk

int8

isnull(application_risk_aux) or isempty(application_risk_aux) ? app_risk : application_risk_aux

app_risk

application_risk_aux

 

application_technology

str

isnull(application_technology_aux) or isempty(application_technology_aux) ? app_technology : application_technology_aux

application_technology_aux

app_technology

 

application_category

str

app_category

application_category_aux

 

application_resolved_by

str

application_resolved_by_aux

app_resolved_by

 

application_is_cloud

str

application_is_cloud_aux

app_is_cloud

 

application_filter_policy_id

int8

application_filter_policy_id_aux

appfilter_policy_id

 

packets_sent

int8

packets_sent_aux

sent_pkts

 

packets_received

int8

recv_pkts

packets_received_aux

 

bytes_sent

int8

sent_bytes

bytes_sent_aux

 

bytes_received

int8

bytes_received_aux

recv_bytes

 

src_trans_ip

ip4

src_trans_ip_aux

tran_src_ip

 

src_trans_port

int8

tran_src_port

src_trans_port_aux

 

dst_trans_ip

ip4

tran_dst_ip

dst_trans_ip_aux

 

dst_trans_port

int8

tran_dst_port

dst_trans_port_aux

 

src_zone_type

str

srczonetype

src_zone_type_aux

 

src_zone

str

srczone

src_zone_aux

 

dst_zone_type

str

dst_zone_type_aux

dstzonetype

 

dst_zone

str

dst_zone_aux

dstzone

 

unknown

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

message

✓

firewall.sophos.xgfirewall.event

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

vmachine

 

time

str

 

 

 

timezone

str

 

 

 

device_name

str

 

 

 

device_id

str

 

 

 

log_id

str

 

 

 

log_type

str

 

 

 

log_component

str

 

 

 

log_subtype

str

 

 

 

status

str

 

 

 

newversion

str

 

 

 

oldversion

str

 

 

 

priority

str

 

 

 

sfmip

str

 

 

 

remotenetwork

str

 

 

 

actiononpeerdead

str

 

 

 

state

str

 

 

 

policybits

str

 

 

 

peerid

str

 

 

 

messageid

str

 

 

 

State

str

 

 

 

remoteinterfaceip

ip4

 

 

 

localnetwork

str

 

 

 

localgateway

ip4

 

 

 

localinterfaceip

ip4

 

 

 

connectiontype

str

 

 

 

connectionname

str

 

 

 

user_name

str

 

 

 

STATUS

str

 

 

 

IPSec_CONNECTION_NAME

str

 

 

 

src_ip

ip4

 

 

 

reason

str

 

 

 

updatedip

ip4

 

 

 

host

str

 

 

 

client_host_name

str

 

 

 

client_physical_address

str

 

 

 

ipaddress

ip4

 

 

 

interface

str

 

 

 

destination

ip4

 

 

 

message

str

 

 

 

start

str

 

 

 

end

str

 

 

 

user_full_name

str

 

 

 

client_used

str

 

 

 

auth_mechanism

str

 

 

 

timestamp

str

 

 

 

device_model

str

 

 

 

device_serial_id

str

 

 

 

log_version

int4

 

 

 

severity

str

 

 

 

user_group

str

 

 

 

src_country

str

 

 

 

src_mac

str

 

 

 

dst_country

str

 

 

 

dst_mac

str

 

 

 

ips_policy_id

int8

 

 

 

protocol

str

 

 

 

connid

str

 

 

 

vconnid

str

 

 

 

hb_health

str

 

 

 

nat_rule_name

str

 

 

 

fw_rule_id

int8

 

 

 

fw_rule_type

str

 

 

 

fw_rule_name

str

 

 

 

fw_rule_section

str

 

 

 

gw_id_request

int4

 

 

 

gw_name_request

str

 

 

 

web_policy_id

int8

 

 

 

application_name

str

application_name_aux

app_name

 

application_risk

int8

app_risk

application_risk_aux

 

application_technology

str

application_technology_aux

app_technology

 

application_category

str

app_category

application_category_aux

 

application_resolved_by

str

application_resolved_by_aux

app_resolved_by

 

application_is_cloud

str

application_is_cloud_aux

app_is_cloud

 

application_filter_policy_id

int8

application_filter_policy_id_aux

appfilter_policy_id

 

packets_sent

int8

packets_sent_aux

sent_pkts

 

packets_received

int8

recv_pkts

packets_received_aux

 

bytes_sent

int8

sent_bytes

bytes_sent_aux

 

bytes_received

int8

bytes_received_aux

recv_bytes

 

src_trans_ip

ip4

src_trans_ip_aux

tran_src_ip

 

src_trans_port

int8

tran_src_port

src_trans_port_aux

 

dst_trans_ip

ip4

tran_dst_ip

dst_trans_ip_aux

 

dst_trans_port

int8

tran_dst_port

dst_trans_port_aux

 

src_zone_type

str

srczonetype

src_zone_type_aux

 

src_zone

str

srczone

src_zone_aux

 

dst_zone_type

str

dst_zone_type_aux

dstzonetype

 

dst_zone

str

dst_zone_aux

dstzone

 

raw_data

str

 

 

 

unknown

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

message

✓

firewall.sophos.xgfirewall.firewall

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

hostchain

 

time

str

 

 

 

timezone

str

 

 

 

device_name

str

 

 

 

device_id

str

 

 

 

log_id

str

 

 

 

log_type

str

 

 

 

log_component

str

 

 

 

log_subtype

str

 

 

 

status

str

 

 

 

priority

str

 

 

 

duration

int8

 

 

 

fw_rule_id

int8

 

 

 

policy_type

int8

 

 

 

user_name

str

 

 

 

user_gp

str

 

 

 

iap

int8

 

 

 

ips_policy_id

int8

 

 

 

application

str

 

 

 

in_interface

str

 

 

 

out_interface

str

 

 

 

src_mac

str

 

 

 

dst_mac

str

 

 

 

src_ip

ip4

 

 

 

src_country_code

str

 

 

 

dst_ip

ip4

 

 

 

dst_country

str

 

 

 

dst_country_code

str

 

 

 

protocol

str

 

 

 

icmp_code

str

 

 

 

icmp_type

str

 

 

 

src_port

int8

 

 

 

dst_port

int8

 

 

 

application_name

str

application_name_aux

app_name

 

application_risk

int8

app_risk

application_risk_aux

 

application_technology

str

application_technology_aux

app_technology

 

application_category

str

app_category

application_category_aux

 

application_resolved_by

str

application_resolved_by_aux

app_resolved_by

 

application_is_cloud

str

application_is_cloud_aux

app_is_cloud

 

application_filter_policy_id

int8

application_filter_policy_id_aux

appfilter_policy_id

 

packets_sent

int8

packets_sent_aux

sent_pkts

 

packets_received

int8

recv_pkts

packets_received_aux

 

bytes_sent

int8

sent_bytes

bytes_sent_aux

 

bytes_received

int8

bytes_received_aux

recv_bytes

 

src_trans_ip

ip4

src_trans_ip_aux

tran_src_ip

 

src_trans_port

int8

tran_src_port

src_trans_port_aux

 

dst_trans_ip

ip4

tran_dst_ip

dst_trans_ip_aux

 

dst_trans_port

int8

tran_dst_port

dst_trans_port_aux

 

src_zone_type

str

srczonetype

src_zone_type_aux

 

src_zone

str

srczone

src_zone_aux

 

dst_zone_type

str

dst_zone_type_aux

dstzonetype

 

dst_zone

str

dst_zone_aux

dstzone

 

dir_disp

str

 

 

 

connevent

str

 

 

 

connid

str

 

 

 

vconnid

str

 

 

 

timestamp

str

 

 

 

device_model

str

 

 

 

device_serial_id

str

 

 

 

log_version

int4

 

 

 

severity

str

 

 

 

nat_rule_id

str

 

 

 

nat_rule_name

str

 

 

 

fw_rule_type

str

 

 

 

fw_rule_name

str

 

 

 

fw_rule_section

str

 

 

 

gw_id_request

int4

 

 

 

gw_name_request

str

 

 

 

web_policy_id

int8

 

 

 

ether_type

str

 

 

 

src_country

str

 

 

 

hb_status

str

 

 

 

message

str

 

 

 

qualifier

str

 

 

 

in_display_interface

str

 

 

 

log_occurrence

int4

 

 

 

con_event

str

 

 

 

hb_health

str

 

 

 

unknown

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

firewall.sophos.xgfirewall.systemhealth

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

time

str

 

 

timezone

str

 

 

device_name

str

 

 

device_id

str

 

 

log_id

str

 

 

log_type

str

 

 

log_component

str

 

 

log_subtype

str

 

 

priority

str

 

 

users

int8

 

 

Temp

str

 

 

Signature

str

 

 

Reports

str

 

 

Configuration

str

 

 

used

int8

 

 

free

int8

 

 

total_memory

int8

 

 

unit

str

 

 

idle

str

 

 

user

str

 

 

system

str

 

 

interface

str

 

 

receivedkbits

float8

 

 

transmittedkbits

float8

 

 

receivederrors

str

 

 

transmitteddrops

float8

 

 

collisions

float8

 

 

transmittederrors

float8

 

 

receiveddrops

float8

 

 

unknown

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

firewall.sophos.xgfirewall.wirelessprotection

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

time

str

 

 

timezone

str

 

 

device_name

str

 

 

device_id

str

 

 

log_id

str

 

 

log_type

str

 

 

log_component

str

 

 

log_subtype

str

 

 

priority

str

 

 

ap

str

 

 

ssid

str

 

 

clients_conn_SSID

str

 

 

unknown

str

 

✓

hostchain

str

 

✓

tag

str

 

✓