Skip to main content

Syslog - Sophos Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Sophos
SUMMARY: Configuration Guide for Sophos firewalls

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor Sophos
Supported Model Name/Number Sophos Firewall
Supported Software Version(s) 19.X, 20.X, 21.X
Collection Method Syslog
Provider Name Syslog-SophosFW
Additional Information

Sophos Firewall 20.0 Syslog Logging

Sophos Firewall 20.0 Offline Syslog Guide

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

  1. Add a syslog server
  2. Go to System services > Log settings and click Add.
  3. Enter a Name. Example: Huntress-SIEM
  4. Set IP Address to the Internal IP of the Huntress agent configured for syslog.
  5. Make sure "Secure log transmission" is turned off. This option does not work with UDP, and is not supported by Huntress with TCP.
  6. Set Port to 514.
  7. Set Facility to LOCAL0.
  8. Set Severity Level to Informational.
  9. Set Format to Standard Syslog Format.
  10. Click Save.

 

Example Log Messages

 

Traffic Log Message

device_name="SFW" timestamp="2023-12-11T09:02:50-0500" device_model="SF01V" device_serial_id=" SFDemo-c07-gl-vm-01" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="5" fw_rule_name=" fw_allow_172.16.131.3" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="masq_for_172. 16.131.3" fw_rule_type="USER" gw_id_request=2 gw_name_request="gw0" ether_type="Unknown (0x0000)" in_interface="Port2" out_interface="Port1" src_mac="00:50:56:B0:C0:59" dst_mac="00:50:56:B0:CE: 59" src_ip="172.16.131.3" src_country="R1" dst_ip="4.2.2.2" dst_country="USA" protocol="ICMP" icmp_type=8 src_trans_ip="10.170.0.156" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="981166219" hb_status="No Heartbeat" app_resolved_by=" Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port2" out_display_interface="Port1" log_occurrence="1"

 

IPS Log Message

device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemof64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILEPDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server"

Related articles