Hello Guys,
I work with Graylog quite a bit and have a problem. The Logs from the Sophos Firewall are not nice to read or work with. I looked around and found two github links one for Grock Pettern and a Content Pack. I tried to upload the Pettern but Graylog did nothing. after Installing the Content Pack my Log output was to slow so that many massages are stored in the Journal (4.3Mio) after 30min. Has anybody created some Patterns and would share it with me?
Greetings
Marvin
{
"extractors": [
{
"title": "Sophos XG Source IP",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_src_ip",
"extractor_config": {
"regex_value": "sourceip=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG Local IP",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_loc_ip",
"extractor_config": {
"regex_value": "localip=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG log id",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_log_id",
"extractor_config": {
"regex_value": "log_id=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG log component",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fW_log_component",
"extractor_config": {
"regex_value": "log_component=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG firewall timezone",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_timezone",
"extractor_config": {
"regex_value": "timezone=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG log type",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_log_type",
"extractor_config": {
"regex_value": "log_type=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG firewall time",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_time",
"extractor_config": {
"regex_value": "time=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG firewall date",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_date",
"extractor_config": {
"regex_value": "date=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG device",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "source",
"extractor_config": {
"regex_value": "device=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG device name",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_device_name",
"extractor_config": {
"regex_value": "device_name=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG Rule ID",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_rule_id",
"extractor_config": {
"regex_value": "fw_rule_id=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG device id",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_device_id",
"extractor_config": {
"regex_value": "device_id= \"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG firewall user name",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_user_name",
"extractor_config": {
"regex_value": "user_name=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG firewall priority",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_priority",
"extractor_config": {
"regex_value": "priority=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG server",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_server",
"extractor_config": {
"regex_value": "server=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG url",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_url",
"extractor_config": {
"regex_value": "url= \"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG ws protocol",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_ws_protocol",
"extractor_config": {
"regex_value": "ws_protocol=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG querystring",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_querystring",
"extractor_config": {
"regex_value": "querystring=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG fw rule section",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_rule_section",
"extractor_config": {
"regex_value": "fw_rule_section=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG fw rule name",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_rule_name",
"extractor_config": {
"regex_value": "fw_rule_name=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG bytesercv",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_bytesercv",
"extractor_config": {
"regex_value": "bytesercv=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG bytessent",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_bytessent",
"extractor_config": {
"regex_value": "bytessent=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG responsetime",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_responsetime",
"extractor_config": {
"regex_value": "responsetime=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG host",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_host",
"extractor_config": {
"regex_value": "host=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG useragent",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_useragent",
"extractor_config": {
"regex_value": "useragent=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG httpstatus",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_httpstatus",
"extractor_config": {
"regex_value": "httpstatus=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG method",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_method",
"extractor_config": {
"regex_value": "method=([^\\s]*)"
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG cookie",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_cookie",
"extractor_config": {
"regex_value": "cookie=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
},
{
"title": "Sophos XG contenttype",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "fw_contenttype",
"extractor_config": {
"regex_value": "contenttype=\"([^\"]*)\""
},
"condition_type": "string",
"condition_value": "device=\"SFW\""
}
]
}
Its not perfect but a beginning
For Sophos XGS firewalls, the value
“condition_value”: “device="SFW"”
must be changed to
“condition_value”: “device_name="SFW"”.
1 Like