cef0.sophos.xg
Introduction
The table cef0.sophos.xg identifies events in CEF format generated by Sophos XG firewall.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
cef0.sophos.xg
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to cef0.sophos.xg. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
cef0.sophos.xg
2021-09-01 09:34:01.514 localhost=127.0.0.1 14 14 CEF: 0|Cisco|Meraki Access Point||urls|urls |Low| eventId=8370995 msg=src\\=41.131.242.238:61680 dst\\=162.20.79.121:443 mac\\=23:74:d5:30:21:ff customerURI=/var/prod/suggest/lay.webm Customers/bin/yramirez/nothing/buy.ods/05 Neptune/etc/if/analysis/up/grow/tax/group.mov categorySignificance=/var/join/body/source/police/ball/even.pdf categoryBehavior=/etc/concern/trial/yramirez/cup.webm categoryDeviceGroup=/etc/france/among.jpeg categoryOutcome=/etc/both/party/shoulder.avi categoryObject=/opt/game/abc/daughter/mwillis/little.csv art=1628723372661 cat=urls rt=1628723371688 src=41.131.242.238 sourceZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/dev/contain/also.doc Address Space Zones/var/administration.wav1918: 41.19.19.145-123.177.191.230 smac=D0-C6-37-D2-0E-AB dst=162.20.79.121 destinationZoneURI=/var/prod/suggest/lay.webm Zones/var/task/region/life.png System/opt/wall/especially/upon/fear.png Address Space Zones/var/australia/timor-leste/represent.wav duPont de Nemours and Co. Inc. request=https://bin/pay/contain/arrive.webm-data.balena-cloud.com/var/record/game/nearly/region/laugh/believe.docx requestMethod=UNKNOWN
And this is how the log would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
hostname |
|
| ||
priorityCode |
|
| ||
cefTag |
|
| ||
cefVersion |
|
| ||
embDeviceVendor |
|
| ||
embDeviceProduct |
|
| ||
deviceVersion |
| |||
signatureID |
|
| ||
name |
|
| ||
severity |
|
| ||
_cefVer |
|
| ||
cat |
|
| ||
c6a4Label |
|
| ||
dst |
|
| ||
dpt |
|
| ||
dvchost |
|
| ||
msg |
|
| ||
proto |
|
| ||
requestMethod |
|
| ||
request |
|
| ||
rt |
|
| ||
smac |
|
| ||
src |
|
| ||
spt |
|
| ||
agentZoneURI |
|
| ||
agt |
|
| ||
ahost |
|
| ||
aid |
|
| ||
amac |
|
| ||
art |
|
| ||
at |
|
| ||
atz |
|
| ||
av |
|
| ||
categoryBehavior |
|
| ||
categoryDeviceGroup |
|
| ||
categoryObject |
|
| ||
categoryOutcome |
|
| ||
categorySignificance |
|
| ||
customerURI |
|
| ||
destinationZoneURI |
|
| ||
dtz |
|
| ||
eventId |
|
| ||
geid |
|
| ||
sourceZoneURI |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
|
| ✓ |
rawMessage |
|
| ✓ |