Collect Sophos XG Firewall logs

Supported in:

This document explains how to collect Sophos Next Gen (XG) Firewall logs by using Bindplane. The parser extracts logs, normalizes the key-value pairs, and maps them to the UDM. It handles various log formats, converting timestamps, enriching network data, and categorizing events based on log IDs and network activity.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to Sophos XG Firewall.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        udplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:514"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: SYSLOG
                namespace: sophos_firewall
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - udplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Sophos Firewall syslog servers

  1. Sign in to the Sophos XG Firewall.
  2. Go to Configure > System services > Log settings.
  3. In the Syslog servers section, click Add.
  4. Provide the following configuration details:
    • Name: enter a unique name for the Google SecOps collector.
    • IP address/Domain: enter the Bindplane IP address.
    • Port: enter the Bindplane port number.
    • Facility: select DAEMON.
    • Severity level: select Information.
    • Format: select Device standard format.
  5. Click Save.
  6. Return to the Log Settings page and select the specific log types to forward to the syslog server.

Configure Sophos XG Firewall Log Settings

  1. Select the following Base firewall (security policy log) logs:
    • Policy rules
    • Invalid traffic
    • Local ACLs
    • DoS attack
    • Dropped ICMP redirected packet
    • Dropped source routed packet
    • Dropped fragmented traffic
    • MAC filtering
    • IP-MAC pair filtering
    • IP spoof prevention
    • SSL VPN tunnel
    • Protected application server
    • Heartbeat
  2. Select the following Web protection (web filtering log and application filtering log) logs:
    • Web filter
    • Application filter
  3. Select the following Network protection (IPS log) logs:
    • Anomaly
    • Signature
  4. Select the following System log log:
    • System events

UDM Mapping Table

Log Field UDM Mapping Logic
activityname security_result.detection_fields.activityname Value from the activityname field.
app_category security_result.detection_fields.Application Category, application_category Value from the app_category field.
app_filter_policy_id security_result.detection_fields.app_filter_policy_id Value from the app_filter_policy_id field.
app_is_cloud security_result.detection_fields.app_is_cloud Value from the app_is_cloud field.
app_name principal.application Value from the app_name field.
app_resolved_by security_result.detection_fields.app_resolved_by Value from the app_resolved_by field.
app_risk security_result.detection_fields.Application Risk, application_risk Value from the app_risk field.
app_technology application_technology Value from the app_technology field.
application principal.application Value from the application field.
application_category security_result.detection_fields.Application Category Value from the application_category field.
application_risk security_result.detection_fields.Application Risk Value from the application_risk field.
application_technology security_result.detection_fields.Application Technology Value from the application_technology field.
bytes_received network.received_bytes Value from the bytes_received field.
bytes_sent network.sent_bytes Value from the bytes_sent field.
category application_category Value from the category field.
category_type security_result.detection_fields.category_type Value from the category_type field.
client_host_name network.dhcp.client_hostname Value from the client_host_name field.
client_physical_address network.dhcp.chaddr Value from the client_physical_address field.
con_event security_result.detection_fields.con_event Value from the con_event field.
con_id security_result.detection_fields.con_id Value from the con_id field.
connevent security_result.detection_fields.connevent Value from the connevent field.
connid security_result.detection_fields.connid Value from the connid field.
date event.timestamp Parsed from the date and time fields, adjusted for timezone.
device_id intermediary.asset.asset_id Value from the device_id field, prefixed with ID:.
device_model intermediary.hostname Value from the device_model field.
device_name intermediary.hostname Value from the device_name field.
device_serial_id intermediary.asset.asset_id Value from the device_serial_id field, prefixed with ID:.
domain principal.administrative_domain, target.hostname Value from the domain field.
dst_country target.location.country_or_region Value from the dst_country field.
dst_country_code target.location.country_or_region Value from the dst_country_code field.
dst_ip target.ip Value from the dst_ip field.
dst_mac target.mac Value from the dst_mac field.
dst_port target.port Value from the dst_port field.
dst_trans_ip target.nat_ip Value from the dst_trans_ip field.
dst_trans_port target.nat_port Value from the dst_trans_port field.
dst_zone security_result.detection_fields.dst_zone Value from the dst_zone field.
dstzone security_result.detection_fields.dstzone Value from the dstzone field.
dstzonetype security_result.detection_fields.dstzonetype Value from the dstzonetype field.
duration network.session_duration.seconds Value from the duration field.
ether_type security_result.detection_fields.ether_type Value from the ether_type field.
exceptions security_result.detection_fields.exceptions Value from the exceptions field.
fw_rule_id security_result.rule_id Value from the fw_rule_id field.
fw_rule_name security_result.rule_name Value from the fw_rule_name field.
fw_rule_section security_result.rule_set Value from the fw_rule_section field.
fw_rule_type security_result.rule_type Value from the fw_rule_type field.
gw_id_request security_result.detection_fields.gw_id_request Value from the gw_id_request field.
gw_name_request security_result.detection_fields.gw_name_request Value from the gw_name_request field.
hb_health security_result.detection_fields.hb_health Value from the hb_health field.
hb_status security_result.detection_fields.hb_status Value from the hb_status field.
http_category security_result.detection_fields.http_category Value from the http_category field.
http_category_type security_result.detection_fields.http_category_type Value from the http_category_type field.
http_status network.http.response_code Value from the http_status field.
in_display_interface security_result.detection_fields.in_display_interface Value from the in_display_interface field.
in_interface security_result.detection_fields.in_interface Value from the in_interface field.
ipaddress principal.ip, network.dhcp.ciaddr Value from the ipaddress field.
log_component metadata.product_event_type, security_result.detection_fields.log_component Value from the log_component field.
log_id metadata.product_log_id Value from the log_id field.
log_msg metadata.description Value from the message field after removing message=.
log_occurrence security_result.detection_fields.log_occurrence Value from the log_occurrence field.
log_subtype security_result.detection_fields.log_subtype, security_result.action Value from the log_subtype field.
log_type security_result.detection_fields.log_type Value from the log_type field.
log_version security_result.detection_fields.log_version Value from the log_version field.
message metadata.description Value from the message field.
nat_rule_id security_result.detection_fields.nat_rule_id Value from the nat_rule_id field.
nat_rule_name security_result.detection_fields.nat_rule_name Value from the nat_rule_name field.
out_display_interface security_result.detection_fields.out_display_interface Value from the out_display_interface field.
out_interface security_result.detection_fields.out_interface Value from the out_interface field.
packets_received network.received_packets Value from the packets_received field.
packets_sent network.sent_packets Value from the packets_sent field.
priority security_result.severity Mapped from the priority or severity field based on a lookup table.
protocol network.ip_protocol Parsed from the protocol field using a lookup table.
reason security_result.detection_fields.reason, security_result.summary Value from the reason field.
recv_bytes network.received_bytes Value from the recv_bytes field.
recv_pkts network.received_packets Value from the recv_pkts field.
referer network.http.referral_url Value from the referer field.
rule_id security_result.rule_id Value from the rule_id field.
rule_name security_result.rule_name Value from the rule_name field.
sent_bytes network.sent_bytes Value from the sent_bytes field.
sent_pkts network.sent_packets Value from the sent_pkts field.
severity priority Value from the severity field.
src_country principal.location.country_or_region Value from the src_country field.
src_country_code principal.location.country_or_region Value from the src_country_code field.
src_ip principal.ip Value from the src_ip field.
src_mac principal.mac Value from the src_mac field.
src_port principal.port Value from the src_port field.
src_trans_ip principal.nat_ip Value from the src_trans_ip field.
src_trans_port principal.nat_port Value from the src_trans_port field.
src_zone security_result.detection_fields.src_zone Value from the src_zone field.
srczone security_result.detection_fields.srczone Value from the srczone field.
srczonetype security_result.detection_fields.srczonetype Value from the srczonetype field.
status security_result.action_details, security_result.action Value from the status field.
status_code network.http.response_code Value from the status_code field.
target.url target.url Value from the url field.
time event.timestamp Parsed from the date and time fields, adjusted for timezone.
timestamp event.timestamp Parsed from the timestamp field.
tran_dst_ip target.nat_ip Value from the tran_dst_ip field.
tran_dst_port target.nat_port Value from the tran_dst_port field.
tran_src_ip principal.nat_ip Value from the tran_src_ip field.
tran_src_port principal.nat_port Value from the tran_src_port field.
url target.url Value from the url field.
used_quota security_result.detection_fields.used_quota Value from the used_quota field.
user_agent network.http.user_agent, network.http.parsed_user_agent Value from the user_agent field. Parsed version also generated.
user_gp extensions.auth.type If user_gp is vpn, sets extensions.auth.type to VPN.
user_name principal.user.userid, principal.user.email_addresses Value from the user_name field. If it contains @, also added to email_addresses.
web_policy_id security_result.detection_fields.web_policy_id Value from the web_policy_id field.
N/A event.idm.read_only_udm.metadata.event_timestamp Copied from event.timestamp.
N/A event.idm.read_only_udm.metadata.log_type The Chronicle ingestion schema specifies the log type as SOPHOS_FIREWALL.
N/A event.idm.read_only_udm.metadata.vendor_name Constant value SOPHOS.
N/A event.idm.read_only_udm.metadata.product_name Constant value SOPHOS Firewall.
N/A event.idm.read_only_udm.network.application_protocol Set to DHCP if ipaddress field is present. Otherwise, derived from the protocol field.
N/A event.idm.read_only_udm.metadata.event_type Determined by logic based on the presence of other fields (e.g., NETWORK_HTTP, NETWORK_CONNECTION, NETWORK_DHCP, STATUS_UPDATE, GENERIC_EVENT).
N/A event.idm.read_only_udm.security_result.action Derived from the status or log_subtype fields.

Changes

2024-08-26

Enhancement:

  • Parsed logs for timezone=WAT.

2023-11-20

Enhancement:

  • Mapped packets_sent to network.sent_packets.
  • Mapped packets_received to network.received_packets.
  • Mapped src_trans_ip to principal.nat_ip.
  • Mapped src_trans_port to principal.nat_port.
  • Mapped dst_trans_ip to target.nat_ip.
  • Mapped dst_trans_port to target.nat_port.
  • Mapped bytes_sent to network.sent_bytes.
  • Mapped bytes_received to network.received_bytes.
  • Mapped duration to network.session_duration.
  • Mapped referer to network.http.referer_url.
  • Mapped ipaddress to principal.ip and network.dhcp.ciaddr.
  • Mapped client_physical_address to network.dhcp.chaddr.
  • Mapped client_host_name to network.dhcp.client_hostname.
  • Mapped reason to security_result.summary.
  • Mapped http_status to network.http.response_code.
  • Mapped app_name to principal.application.
  • Mapped out_display_interface, web_policy_id, http_category, http_category_type, exceptions, con_id, used_quota, src_zone_type, src_zone, dst_zone_type, dst_zone, app_risk, app_category, nat_rule_name, gw_id_request, gw_name_request, app_filter_policy_id, app_technology, in_interface, out_interface, con_event, srczonetype, dstzonetype, connevent, connid, hb_health, category_type, activityname to security_result.detection_fields.

2023-11-10

Enhancement:

  • Mapped fw_rule_type to security_result.rule_type.
  • Mapped severity to security_result.severity.
  • Mapped device_serial_id to principal.asset.asset_id.
  • Mapped log_type, log_component, log_subtype, log_version, nat_rule_id, ether_type, hb_status, app_resolved_by, app_is_cloud, qualifier, log_occurrence, in_display_interface to security_result.detection_fields.

2023-04-03

Enhancement:

  • Modified mapping of device_name from principal.hostname to intermediary.hostname.
  • Modified mapping of device_id from principal.asset.asset_id to intermediary.asset.asset_id.
  • Modified mapping of metadata.vendor_name from SOPHOS Ltd. to SOPHOS.
  • Mapped sent_pkts to network.sent_packets.
  • Mapped recv_pkts to network.received_packets.
  • Mapped tran_src_ip to principal.nat_ip.
  • Mapped tran_src_port to principal.nat_port.
  • Mapped tran_dst_ip to target.nat_ip.
  • Mapped tran_dst_port to target.nat_port.

2022-12-01

Enhancement:

  • Parsed logs for timezone=IST.
  • Mapped application_category, application_risk and application_technology to security_result.detection_fields.
  • Mapped fw_rule_name to security_result.rule_name.
  • Mapped fw_rule_section to security_result.rule_set.

2022-08-18

Enhancement:

  • Parsed logs for timezone=CEST.
  • Reduced Generic Event percentage
  • Mapped user_name to event.idm.read_only_udm.principal.user.userid
  • Mapped device_id to event.idm.read_only_udm.principal.asset.asset_id

Need more help? Get answers from Community members and Google SecOps professionals.