TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Device Configuration Guide for Sophos firewalls
Device Configuration Checklist
This page only covers the device-specific configuration, you'll still need to read our SIEM Firewall guide to complete the Huntress SIEM setup as well as opening a port in Windows Firewall.
Vendor Information
Vendor | Sophos |
Supported Model Name/Number | Sophos Firewall |
Supported Software Version(s) | 19.X, 20.X, 21.X |
Collection Method | Syslog |
Provider Name | Syslog-SophosFW |
Additional Information |
Device Configuration Checklist
-
Add a syslog server
-
Go to System services > Log settings and click Add.
-
Enter a Name. Example:
Huntress-SIEM
-
Set IP Address to the IP of the Huntress agent configured for syslog.
-
Set Port to 514.
-
Set Facility to LOCAL0.
-
Set Severity Level to Informational.
-
Set Format to Standard Syslog Format.
-
Click Save.
-
Example Log Messages
Traffic Log Message
device_name="SFW" timestamp="2023-12-11T09:02:50-0500" device_model="SF01V" device_serial_id=" SFDemo-c07-gl-vm-01" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="5" fw_rule_name=" fw_allow_172.16.131.3" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="masq_for_172. 16.131.3" fw_rule_type="USER" gw_id_request=2 gw_name_request="gw0" ether_type="Unknown (0x0000)" in_interface="Port2" out_interface="Port1" src_mac="00:50:56:B0:C0:59" dst_mac="00:50:56:B0:CE: 59" src_ip="172.16.131.3" src_country="R1" dst_ip="4.2.2.2" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="10.170.0.156" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="981166219" hb_status="No Heartbeat" app_resolved_by=" Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port2" out_display_interface="Port1" log_occurrence="1"
IPS Log Message
device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemof64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILEPDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server"
Comments
0 comments
Article is closed for comments.