Sophos XG Pipeline Fields

Hello, I created a pipeline with the guide from here. I am on Graylog v3.2.3. Using Sophos XG on 17.5

I am trying to add in some more pipeline rules to sort out additional event types to be able to get source IPs from VPN logs and be able to geolocate it so I have the following rule. The issue I am running into is that it is not extracting the src_ip even if I change that to match the remoteinterfaceip. The simulation trace is showing that the rule is being satisfied but there is no added field for the src_ip. What am I doing wrong?

rule “XG IPSec Event”
(to_string($message.log_sub_type) == “System”) && (to_string($message.log_component) == “IPSec”)
pattern: “(status=%{QUOTEDSTRING:status})?%{SPACE}priority=%{WORD:priority}%{SPACE}(status=%{QUOTEDSTRING:status}%{SPACE}src_ip=%{DATA:remoteinterfaceip})?%{GREEDYDATA}message=%{QUOTEDSTRING:system_message}”,
value: to_string($message.message),
only_named_captures: true

A sample of a message received is

<29>device=“SFW” date=2020-03-16 time=09:54:23 timezone=“EDT” device_name=“XG” device_id=REDACTED log_id=062511517801 log_type=“Event” log_component=“IPSec” log_subtype=“System” status=“Established” priority=Notice user_name=“REDACTED” connectionname=“IPSEC” connectiontype=“0” localinterfaceip=REDACTED localgateway= localnetwork=“” remoteinterfaceip=REDACTED remotenetwork=“x.x.x.x/32” message=“IPSEC - IPSec Connection IPSEC between x.x.x.x and x.x.x.x established. (Remote: x.x.x.x)”

Thank you.

Part of your GROK is:


Which reads to me: “Find ‘src_ip=’ and take the ‘DATA’ after it and put it in a field called ‘remoteinterfaceip’”

But your sample message doesn’t contain ‘src_ip=’ to Find…

based on your sample message, the partial GROK would be:


-or perhaps -


Also - Are using the old 2.5 geolocation or the new 3.0+ geolocation?

Using the new 3.0+ geolocation

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.