Hi all - Following the guide for Sophos XG pipeline noted here
I get device=“SFW” as the message source when the Sophos logs come into Graylog.
If I add another firewall I get the same thing.
How does one adjust the source to say something else like “Client A”, “Client B”…can I make a change in Graylog or is this something on the Sophos I need to adjust?
Alternatively in the logs there is a distinguishing value “the device ID field”.
So I wonder is it possible to modify the device source to something meaningful like “ClientA” if the device_id field = a certain serial number perhaps?
he @PCTS
you might want to add a rule in your processing that sets the source to the sending device? Or you can identify in some other way the source and use that information to set this?
You write that you have the device ID - so create a rule that if device ID is A than set the source to A or something similar.
1 - Extractor with regex device_id=([^\s]*)
2 - Pipeline rule rule "XG Device ID" when to_string($message.fw_device_id ) == "ABCD12345" then set_field("fw_device_name","XG_001"); end
I believe that this will help you @PCTS but the issue now is, i have 11 appliances (each one has particular device id), i would need one pipeline rule for each appliance or is it possible to create one rule for all appliances?
I believe that this will help you @PCTS but the issue now is, i have 11 appliances (each one has particular device id), i would need one pipeline rule for each appliance or is it possible to create one rule for all appliances?
One rule for each device is one option (all need to be in the same stage) - another option would be to use a lookup table with a csv/dsv file that maps the device id to the name and use a single rule that uses this lookup table.
What is the best solution in your environment you need to decide on your own.
