Graylog and Sophos XG

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Graylog configuration with Sophos XG. Not able to view logs in Graylog but Sophos is already communicating with it.

2. Describe your environment:

• OS Information:

• Package Version:
  5.2

• Service logs, configurations, and environment variables:
  Syslog UDP

3. What steps have you already taken to try and solve the problem?
TCPdump in Sophos firewall and confirmed there is traffic going out to Graylog server

4. How can the community help?
How to setup Graylog for Sophos XG.
I already contacted Sophos and confirmed the Syslog settings are correct and TCPdump confirmed there is traffic pushing to graylog.
We have currently a open source graylog, do we need an enterprise license for this one to work?

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:57:01.640561 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.notice, length: 406
11:57:11.632641 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1039
11:57:19.740425 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 997
11:59:18.165663 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 994
11:59:33.816713 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1039
12:00:49.422381 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 998
12:01:21.824721 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1035
12:02:55.576706 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1040
12:05:03.769621 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 993
12:07:09.536762 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1034
12:09:05.083914 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.notice, length: 405

^C
11 packets captured
12 packets received by filter
0 packets dropped by kernel
SFV1C4_VM01_SFOS 20.0.0 GA-Build222# tcpdump -nni any host 103.243.110.203
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
12:10:05.206963 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.notice, length: 406
12:10:22.891366 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.notice, length: 405
12:15:20.197181 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 998
12:17:33.640967 PortB, OUT: IP 203.31.65.156.33110 > 103.243.110.203.514: SYSLOG daemon.info, length: 1040

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Are you sure your syslog input is running correctly, some machines dont like assigning ports less than 1024, so you can always try and move it like 1514.

Second are you sure your tcp or udp match on sending and input, these vendors like to not say clearly which protocol they are using for their syslog, and of course if they dont match then nothing is going to work.

I just changed it to 1514 but still no inputs received.

Below are the inputs configured in the graylog. No messages received

image1897×776 15.6 KB

Is that tcp dump from the sophos side or from the server running graylog, my first guess is its a connection or firewall issue if that dump is from thr sophos side only.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.