Skip to main content

Syslog - Sophos Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Sophos
SUMMARY: Configuration Guide for Sophos firewalls

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor Sophos
Supported Model Name/Number Sophos Firewall
Supported Software Version(s) 19.X, 20.X, 21.X
Collection Method Syslog
Provider Name Syslog-SophosFW
Additional Information

Sophos Firewall Syslog Server Add

Sophos SF Syslog Guide 20.0 PDF

 

Device Configuration Checklist

  1. Add a syslog server

    1. Go to System services > Log settings and click Add.

    2. Enter a Name. Example: Huntress-SIEM

    3. Set IP Address to the IP of the Huntress agent configured for syslog.

    4. Set Port to 514.

    5. Set Facility to LOCAL0.

    6. Set Severity Level to Informational.

    7. Set Format to Standard Syslog Format.

    8. Click Save.

 

Example Log Messages

 

Traffic Log Message

device_name="SFW" timestamp="2023-12-11T09:02:50-0500" device_model="SF01V" device_serial_id=" SFDemo-c07-gl-vm-01" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="5" fw_rule_name=" fw_allow_172.16.131.3" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="masq_for_172. 16.131.3" fw_rule_type="USER" gw_id_request=2 gw_name_request="gw0" ether_type="Unknown (0x0000)" in_interface="Port2" out_interface="Port1" src_mac="00:50:56:B0:C0:59" dst_mac="00:50:56:B0:CE: 59" src_ip="172.16.131.3" src_country="R1" dst_ip="4.2.2.2" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="10.170.0.156" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="981166219" hb_status="No Heartbeat" app_resolved_by=" Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port2" out_display_interface="Port1" log_occurrence="1"

 

IPS Log Message

device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemof64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILEPDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server"

Related articles