firewall.sophos.xgfirewall
The tags beginning with firewall.sophos.xgfirewall
 identify log events generated by the Sophos XG Firewalls.
The events should be forwarded to a Devo Relay within the same secure network as the XG Firewall to be identified, tagged, and forwarded securely to the Devo Cloud. This is done by setting up the Devo Relay as a remote syslog server in Sophos.
For information about sending events to Devo from Sophos UTM, see the firewall.sophos article.
Tag structure
The full tag must have at least four levels. The first three are fixed as firewall.sophos.xgfirewall
. The fourth level identifies the log type and must be one of contentfiltering
, event
, firewall
, systemhealth
, or wirelessprotection
.
Technology | Brand | Product | Log type |
---|---|---|---|
|
|
|
|
Therefore, the valid tags include:
firewall.sophos.xgfirewall.contentfiltering
firewall.sophos.xgfirewall.event
firewall.sophos.xgfirewall.firewall
firewall.sophos.xgfirewall.systemhealth
firewall.sophos.xgfirewall.wirelessprotection
The associated events will be saved in Devo in tables of the same names. In addition, a union table called firewall.sophos.xgfirewall
will contain all of the events in the other tables.
For more information, read more about Devo tags.
Set up the Devo Relay rule
You will need to set up a type 4 relay rule that can identify the event's type by the source port that it was received on and by event content captured using a regular expression. The content captured is then used to build the correct Devo tag.
In Devo, go to Administration → Relays and select the relay to which you want to forward the events.
The relay must reside within the same secure network as your XG Firewall.
Click Add Rule. Enter the following details to set up the rule:
Source port →
13010
   (the port number can be any free port on your relay)Source data →Â
log_type=\"([\w]+)\s*([\w]*)\"
Target tag →
firewall.sophos.xgfirewall.\\D1.\\D2
Select the Stop processing and Sent without syslog tag checkboxes
Click Add Rule.
Forward the events from XG Firewall to the Devo relayÂ
With the relay ready to receive and process the XG Firewall events, you can start to forward them. To do so, set up your Devo Relay as a syslog server in XG Firewall.Â
Check out this Sophos Knowledge base article for instructions. Just be sure to:
Specify the correct IP address of the Devo relay and the same port on which you added the relay rule.
Specify which logs you want to output to syslog in System Services → Log Settings.
Table structure
These are the fields displayed in these tables:
firewall.sophos.xgfirewall.contentfiltering
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | vmachine | Â |
time |
| Â | Â | Â |
timezone |
| Â | Â | Â |
device_name |
| Â | Â | Â |
device_id |
| Â | Â | Â |
log_id |
| Â | Â | Â |
log_type |
| Â | Â | Â |
log_component |
| Â | Â | Â |
log_subtype |
| Â | Â | Â |
status |
| Â | Â | Â |
message |
| Â | Â | Â |
priority |
| Â | Â | Â |
nat_rule_name |
| Â | Â | Â |
fw_rule_id |
| Â | Â | Â |
fw_rule_type |
| Â | Â | Â |
fw_rule_name |
| Â | Â | Â |
fw_rule_section |
| Â | Â | Â |
gw_id_request |
| Â | Â | Â |
gw_name_request |
| Â | Â | Â |
user_name |
| Â | Â | Â |
user_gp |
| Â | Â | Â |
application_filter_policy |
| Â | Â | Â |
iap |
| Â | Â | Â |
category |
| Â | Â | Â |
category_type |
| Â | Â | Â |
url |
| Â | Â | Â |
contenttype |
| Â | Â | Â |
override_token |
| Â | Â | Â |
httpresponsecode |
| Â | Â | Â |
src_ip |
| Â | Â | Â |
src_country |
| Â | Â | Â |
src_country_code |
| Â | Â | Â |
src_mac |
| Â | Â | Â |
dst_ip |
| Â | Â | Â |
dst_country |
| Â | Â | Â |
dst_country_code |
| Â | Â | Â |
protocol |
| Â | Â | Â |
src_port |
| Â | Â | Â |
dst_port |
| Â | Â | Â |
dst_mac |
| Â | Â | Â |
domain |
| Â | Â | Â |
exceptions |
| Â | Â | Â |
activityname |
| Â | Â | Â |
reason |
| Â | Â | Â |
used_quota |
| Â | Â | Â |
http_status |
| Â | Â | Â |
http_category |
| Â | Â | Â |
http_category_type |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
device_model |
| Â | Â | Â |
device_serial_id |
| Â | Â | Â |
log_version |
| Â | Â | Â |
severity |
| Â | Â | Â |
user_group |
| Â | Â | Â |
web_policy_id |
| Â | Â | Â |
con_id |
| Â | Â | Â |
application_name |
| isnull(application_name_aux) or isempty(application_name_aux) ? app_name : application_name_aux | application_name_aux app_name | Â |
application_risk |
| isnull(application_risk_aux) or isempty(application_risk_aux) ? app_risk : application_risk_aux | app_risk application_risk_aux | Â |
application_technology |
| isnull(application_technology_aux) or isempty(application_technology_aux) ? app_technology : application_technology_aux | application_technology_aux app_technology | Â |
application_category |
| app_category application_category_aux | Â | |
application_resolved_by |
| application_resolved_by_aux app_resolved_by | Â | |
application_is_cloud |
| application_is_cloud_aux app_is_cloud | Â | |
application_filter_policy_id |
| application_filter_policy_id_aux appfilter_policy_id | Â | |
packets_sent |
| packets_sent_aux sent_pkts | Â | |
packets_received |
| recv_pkts packets_received_aux | Â | |
bytes_sent |
| sent_bytes bytes_sent_aux | Â | |
bytes_received |
| bytes_received_aux recv_bytes | Â | |
src_trans_ip |
| src_trans_ip_aux tran_src_ip | Â | |
src_trans_port |
| tran_src_port src_trans_port_aux | Â | |
dst_trans_ip |
| tran_dst_ip dst_trans_ip_aux | Â | |
dst_trans_port |
| tran_dst_port dst_trans_port_aux | Â | |
src_zone_type |
| srczonetype src_zone_type_aux | Â | |
src_zone |
| srczone src_zone_aux | Â | |
dst_zone_type |
| dst_zone_type_aux dstzonetype | Â | |
dst_zone |
| dst_zone_aux dstzone | Â | |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | message | ✓ |
firewall.sophos.xgfirewall.event
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | vmachine | Â |
time |
| Â | Â | Â |
timezone |
| Â | Â | Â |
device_name |
| Â | Â | Â |
device_id |
| Â | Â | Â |
log_id |
| Â | Â | Â |
log_type |
| Â | Â | Â |
log_component |
| Â | Â | Â |
log_subtype |
| Â | Â | Â |
status |
| Â | Â | Â |
newversion |
| Â | Â | Â |
oldversion |
| Â | Â | Â |
priority |
| Â | Â | Â |
sfmip |
| Â | Â | Â |
remotenetwork |
| Â | Â | Â |
actiononpeerdead |
| Â | Â | Â |
state |
| Â | Â | Â |
policybits |
| Â | Â | Â |
peerid |
| Â | Â | Â |
messageid |
| Â | Â | Â |
State |
| Â | Â | Â |
remoteinterfaceip |
| Â | Â | Â |
localnetwork |
| Â | Â | Â |
localgateway |
| Â | Â | Â |
localinterfaceip |
| Â | Â | Â |
connectiontype |
| Â | Â | Â |
connectionname |
| Â | Â | Â |
user_name |
| Â | Â | Â |
STATUS |
| Â | Â | Â |
IPSec_CONNECTION_NAME |
| Â | Â | Â |
src_ip |
| Â | Â | Â |
reason |
| Â | Â | Â |
updatedip |
| Â | Â | Â |
host |
| Â | Â | Â |
client_host_name |
| Â | Â | Â |
client_physical_address |
| Â | Â | Â |
ipaddress |
| Â | Â | Â |
interface |
| Â | Â | Â |
destination |
| Â | Â | Â |
message |
| Â | Â | Â |
start |
| Â | Â | Â |
end |
| Â | Â | Â |
user_full_name |
| Â | Â | Â |
client_used |
| Â | Â | Â |
auth_mechanism |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
device_model |
| Â | Â | Â |
device_serial_id |
| Â | Â | Â |
log_version |
| Â | Â | Â |
severity |
| Â | Â | Â |
user_group |
| Â | Â | Â |
src_country |
| Â | Â | Â |
src_mac |
| Â | Â | Â |
dst_country |
| Â | Â | Â |
dst_mac |
| Â | Â | Â |
ips_policy_id |
| Â | Â | Â |
protocol |
| Â | Â | Â |
connid |
| Â | Â | Â |
vconnid |
| Â | Â | Â |
hb_health |
| Â | Â | Â |
nat_rule_name |
| Â | Â | Â |
fw_rule_id |
| Â | Â | Â |
fw_rule_type |
| Â | Â | Â |
fw_rule_name |
| Â | Â | Â |
fw_rule_section |
| Â | Â | Â |
gw_id_request |
| Â | Â | Â |
gw_name_request |
| Â | Â | Â |
web_policy_id |
| Â | Â | Â |
application_name |
| application_name_aux app_name | Â | |
application_risk |
| app_risk application_risk_aux | Â | |
application_technology |
| application_technology_aux app_technology | Â | |
application_category |
| app_category application_category_aux | Â | |
application_resolved_by |
| application_resolved_by_aux app_resolved_by | Â | |
application_is_cloud |
| application_is_cloud_aux app_is_cloud | Â | |
application_filter_policy_id |
| application_filter_policy_id_aux appfilter_policy_id | Â | |
packets_sent |
| packets_sent_aux sent_pkts | Â | |
packets_received |
| recv_pkts packets_received_aux | Â | |
bytes_sent |
| sent_bytes bytes_sent_aux | Â | |
bytes_received |
| bytes_received_aux recv_bytes | Â | |
src_trans_ip |
| src_trans_ip_aux tran_src_ip | Â | |
src_trans_port |
| tran_src_port src_trans_port_aux | Â | |
dst_trans_ip |
| tran_dst_ip dst_trans_ip_aux | Â | |
dst_trans_port |
| tran_dst_port dst_trans_port_aux | Â | |
src_zone_type |
| srczonetype src_zone_type_aux | Â | |
src_zone |
| srczone src_zone_aux | Â | |
dst_zone_type |
| dst_zone_type_aux dstzonetype | Â | |
dst_zone |
| dst_zone_aux dstzone | Â | |
raw_data |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | message | ✓ |
firewall.sophos.xgfirewall.firewall
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | hostchain | Â |
time |
| Â | Â | Â |
timezone |
| Â | Â | Â |
device_name |
| Â | Â | Â |
device_id |
| Â | Â | Â |
log_id |
| Â | Â | Â |
log_type |
| Â | Â | Â |
log_component |
| Â | Â | Â |
log_subtype |
| Â | Â | Â |
status |
| Â | Â | Â |
priority |
| Â | Â | Â |
duration |
| Â | Â | Â |
fw_rule_id |
| Â | Â | Â |
policy_type |
| Â | Â | Â |
user_name |
| Â | Â | Â |
user_gp |
| Â | Â | Â |
iap |
| Â | Â | Â |
ips_policy_id |
| Â | Â | Â |
application |
| Â | Â | Â |
in_interface |
| Â | Â | Â |
out_interface |
| Â | Â | Â |
src_mac |
| Â | Â | Â |
dst_mac |
| Â | Â | Â |
src_ip |
| Â | Â | Â |
src_country_code |
| Â | Â | Â |
dst_ip |
| Â | Â | Â |
dst_country |
| Â | Â | Â |
dst_country_code |
| Â | Â | Â |
protocol |
| Â | Â | Â |
icmp_code |
| Â | Â | Â |
icmp_type |
| Â | Â | Â |
src_port |
| Â | Â | Â |
dst_port |
| Â | Â | Â |
application_name |
| application_name_aux app_name | Â | |
application_risk |
| app_risk application_risk_aux | Â | |
application_technology |
| application_technology_aux app_technology | Â | |
application_category |
| app_category application_category_aux | Â | |
application_resolved_by |
| application_resolved_by_aux app_resolved_by | Â | |
application_is_cloud |
| application_is_cloud_aux app_is_cloud | Â | |
application_filter_policy_id |
| application_filter_policy_id_aux appfilter_policy_id | Â | |
packets_sent |
| packets_sent_aux sent_pkts | Â | |
packets_received |
| recv_pkts packets_received_aux | Â | |
bytes_sent |
| sent_bytes bytes_sent_aux | Â | |
bytes_received |
| bytes_received_aux recv_bytes | Â | |
src_trans_ip |
| src_trans_ip_aux tran_src_ip | Â | |
src_trans_port |
| tran_src_port src_trans_port_aux | Â | |
dst_trans_ip |
| tran_dst_ip dst_trans_ip_aux | Â | |
dst_trans_port |
| tran_dst_port dst_trans_port_aux | Â | |
src_zone_type |
| srczonetype src_zone_type_aux | Â | |
src_zone |
| srczone src_zone_aux | Â | |
dst_zone_type |
| dst_zone_type_aux dstzonetype | Â | |
dst_zone |
| dst_zone_aux dstzone | Â | |
dir_disp |
| Â | Â | Â |
connevent |
| Â | Â | Â |
connid |
| Â | Â | Â |
vconnid |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
device_model |
| Â | Â | Â |
device_serial_id |
| Â | Â | Â |
log_version |
| Â | Â | Â |
severity |
| Â | Â | Â |
nat_rule_id |
| Â | Â | Â |
nat_rule_name |
| Â | Â | Â |
fw_rule_type |
| Â | Â | Â |
fw_rule_name |
| Â | Â | Â |
fw_rule_section |
| Â | Â | Â |
gw_id_request |
| Â | Â | Â |
gw_name_request |
| Â | Â | Â |
web_policy_id |
| Â | Â | Â |
ether_type |
| Â | Â | Â |
src_country |
| Â | Â | Â |
hb_status |
| Â | Â | Â |
message |
| Â | Â | Â |
qualifier |
| Â | Â | Â |
in_display_interface |
| Â | Â | Â |
log_occurrence |
| Â | Â | Â |
con_event |
| Â | Â | Â |
hb_health |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
firewall.sophos.xgfirewall.systemhealth
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
time |
| Â | Â |
timezone |
| Â | Â |
device_name |
| Â | Â |
device_id |
| Â | Â |
log_id |
| Â | Â |
log_type |
| Â | Â |
log_component |
| Â | Â |
log_subtype |
| Â | Â |
priority |
| Â | Â |
users |
| Â | Â |
Temp |
| Â | Â |
Signature |
| Â | Â |
Reports |
| Â | Â |
Configuration |
| Â | Â |
used |
| Â | Â |
free |
| Â | Â |
total_memory |
| Â | Â |
unit |
| Â | Â |
idle |
| Â | Â |
user |
| Â | Â |
system |
| Â | Â |
interface |
| Â | Â |
receivedkbits |
| Â | Â |
transmittedkbits |
| Â | Â |
receivederrors |
| Â | Â |
transmitteddrops |
| Â | Â |
collisions |
| Â | Â |
transmittederrors |
| Â | Â |
receiveddrops |
| Â | Â |
unknown |
|  | ✓ |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
firewall.sophos.xgfirewall.wirelessprotection
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
time |
| Â | Â |
timezone |
| Â | Â |
device_name |
| Â | Â |
device_id |
| Â | Â |
log_id |
| Â | Â |
log_type |
| Â | Â |
log_component |
| Â | Â |
log_subtype |
| Â | Â |
priority |
| Â | Â |
ap |
| Â | Â |
ssid |
| Â | Â |
clients_conn_SSID |
| Â | Â |
unknown |
|  | ✓ |
hostchain |
|  | ✓ |
tag |
|  | ✓ |