Sophos Firewall

Hello Guys,
I work with Graylog quite a bit and have a problem. The Logs from the Sophos Firewall are not nice to read or work with. I looked around and found two github links one for Grock Pettern and a Content Pack. I tried to upload the Pettern but Graylog did nothing. after Installing the Content Pack my Log output was to slow so that many massages are stored in the Journal (4.3Mio) after 30min. Has anybody created some Patterns and would share it with me?
Greetings
Marvin

{
    "extractors": [
        {
            "title": "Sophos XG Source IP",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_src_ip",
            "extractor_config": {
                "regex_value": "sourceip=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG Local IP",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_loc_ip",
            "extractor_config": {
                "regex_value": "localip=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG log id",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_log_id",
            "extractor_config": {
                "regex_value": "log_id=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG log component",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fW_log_component",
            "extractor_config": {
                "regex_value": "log_component=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG firewall timezone",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_timezone",
            "extractor_config": {
                "regex_value": "timezone=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG log type",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_log_type",
            "extractor_config": {
                "regex_value": "log_type=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG firewall time",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_time",
            "extractor_config": {
                "regex_value": "time=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG firewall date",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_date",
            "extractor_config": {
                "regex_value": "date=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG device",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "source",
            "extractor_config": {
                "regex_value": "device=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG device name",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_device_name",
            "extractor_config": {
                "regex_value": "device_name=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG Rule ID",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_rule_id",
            "extractor_config": {
                "regex_value": "fw_rule_id=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG device id",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_device_id",
            "extractor_config": {
                "regex_value": "device_id= \"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG firewall user name",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_user_name",
            "extractor_config": {
                "regex_value": "user_name=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG firewall priority",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_priority",
            "extractor_config": {
                "regex_value": "priority=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG server",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_server",
            "extractor_config": {
                "regex_value": "server=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG url",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_url",
            "extractor_config": {
                "regex_value": "url= \"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG ws protocol",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_ws_protocol",
            "extractor_config": {
                "regex_value": "ws_protocol=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG querystring",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_querystring",
            "extractor_config": {
                "regex_value": "querystring=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG fw rule section",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_rule_section",
            "extractor_config": {
                "regex_value": "fw_rule_section=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG fw rule name",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_rule_name",
            "extractor_config": {
                "regex_value": "fw_rule_name=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG bytesercv",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_bytesercv",
            "extractor_config": {
                "regex_value": "bytesercv=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG bytessent",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_bytessent",
            "extractor_config": {
                "regex_value": "bytessent=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG responsetime",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_responsetime",
            "extractor_config": {
                "regex_value": "responsetime=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG host",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_host",
            "extractor_config": {
                "regex_value": "host=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG useragent",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_useragent",
            "extractor_config": {
                "regex_value": "useragent=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG httpstatus",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_httpstatus",
            "extractor_config": {
                "regex_value": "httpstatus=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG method",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_method",
            "extractor_config": {
                "regex_value": "method=([^\\s]*)"
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG cookie",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_cookie",
            "extractor_config": {
                "regex_value": "cookie=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        },
        {
            "title": "Sophos XG contenttype",
            "extractor_type": "regex",
            "converters": [],
            "order": 0,
            "cursor_strategy": "copy",
            "source_field": "message",
            "target_field": "fw_contenttype",
            "extractor_config": {
                "regex_value": "contenttype=\"([^\"]*)\""
            },
            "condition_type": "string",
            "condition_value": "device=\"SFW\""
        }
    ]
}

Its not perfect but a beginning

For Sophos XGS firewalls, the value
“condition_value”: “device="SFW"”
must be changed to
“condition_value”: “device_name="SFW"”.

1 Like