Skip to content

Commit a611754

Browse files
JocLRojasJocLRojas
committed
feat(filters/sophos_xg): add steps to accept new fields and version of sophos_xg
1 parent 4a26bb9 commit a611754

1 file changed

Lines changed: 145 additions & 4 deletions

File tree

filters/sophos/sophos_xg_firewall.conf

Lines changed: 145 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
filter {
22

3-
# Sophos filter version 2.0.1
3+
# Sophos filter version 2.1.0
44
# Based on https://docs.sophos.com/nsg/sophos-firewall/17.5/PDF/SFOS_Logfile_Guide_17.5.pdf
55
# and https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf
66
# and https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html
@@ -42,6 +42,7 @@ filter {
4242
gsub => ["device_name", '"', ""]
4343
gsub => ["log_type", '"', ""]
4444
gsub => ["log_component", '"', ""]
45+
gsub => ["log_id", '"', ""]
4546
}
4647
if [log_type] and ([log_type] == "Firewall" or [log_type] == "Content Filtering" or [log_type] == "Event"
4748
or [log_type] == "WAF" or [log_type] == "System Health" or [log_type] == "IDP"
@@ -133,7 +134,7 @@ filter {
133134
}
134135
}
135136

136-
if [logx][sophos][device] and [logx][sophos][device] == "SFW" {
137+
if [logx][sophos][device] {
137138
if [msg] {
138139
#Fields from Firewall log_type
139140
grok {
@@ -227,11 +228,123 @@ filter {
227228
]
228229
}
229230
}
231+
# New XGS fields - Firewall rules
232+
grok {
233+
match => {
234+
"msg" => [
235+
"%{GREEDYDATA} fw_rule_name=%{QUOTEDSTRING:fw_rule_name} %{GREEDYDATA}"
236+
]
237+
}
238+
}
239+
grok {
240+
match => {
241+
"msg" => [
242+
"%{GREEDYDATA} fw_rule_section=%{QUOTEDSTRING:fw_rule_section} %{GREEDYDATA}"
243+
]
244+
}
245+
}
246+
grok {
247+
match => {
248+
"msg" => [
249+
"%{GREEDYDATA} nat_rule_name=%{QUOTEDSTRING:nat_rule_name} %{GREEDYDATA}"
250+
]
251+
}
252+
}
253+
# New XGS fields - SD-WAN profile request
254+
grok {
255+
match => {
256+
"msg" => [
257+
"%{GREEDYDATA} sdwan_profile_id_request=%{NUMBER:sdwan_profile_id_request} %{GREEDYDATA}"
258+
]
259+
}
260+
}
261+
grok {
262+
match => {
263+
"msg" => [
264+
"%{GREEDYDATA} sdwan_profile_name_request=%{QUOTEDSTRING:sdwan_profile_name_request} %{GREEDYDATA}"
265+
]
266+
}
267+
}
268+
# New XGS fields - SD-WAN profile reply
269+
grok {
270+
match => {
271+
"msg" => [
272+
"%{GREEDYDATA} sdwan_profile_id_reply=%{NUMBER:sdwan_profile_id_reply} %{GREEDYDATA}"
273+
]
274+
}
275+
}
276+
grok {
277+
match => {
278+
"msg" => [
279+
"%{GREEDYDATA} sdwan_profile_name_reply=%{QUOTEDSTRING:sdwan_profile_name_reply} %{GREEDYDATA}"
280+
]
281+
}
282+
}
283+
# New XGS fields - Gateway request
284+
grok {
285+
match => {
286+
"msg" => [
287+
"%{GREEDYDATA} gw_id_request=%{NUMBER:gw_id_request} %{GREEDYDATA}"
288+
]
289+
}
290+
}
291+
grok {
292+
match => {
293+
"msg" => [
294+
"%{GREEDYDATA} gw_name_request=%{QUOTEDSTRING:gw_name_request} %{GREEDYDATA}"
295+
]
296+
}
297+
}
298+
# New XGS fields - Gateway reply
299+
grok {
300+
match => {
301+
"msg" => [
302+
"%{GREEDYDATA} gw_id_reply=%{NUMBER:gw_id_reply} %{GREEDYDATA}"
303+
]
304+
}
305+
}
306+
grok {
307+
match => {
308+
"msg" => [
309+
"%{GREEDYDATA} gw_name_reply=%{QUOTEDSTRING:gw_name_reply} %{GREEDYDATA}"
310+
]
311+
}
312+
}
313+
# New XGS fields - SD-WAN route request
314+
grok {
315+
match => {
316+
"msg" => [
317+
"%{GREEDYDATA} sdwan_route_id_request=%{NUMBER:sdwan_route_id_request} %{GREEDYDATA}"
318+
]
319+
}
320+
}
321+
grok {
322+
match => {
323+
"msg" => [
324+
"%{GREEDYDATA} sdwan_route_name_request=%{QUOTEDSTRING:sdwan_route_name_request} %{GREEDYDATA}"
325+
]
326+
}
327+
}
328+
# New XGS fields - SD-WAN route reply
329+
grok {
330+
match => {
331+
"msg" => [
332+
"%{GREEDYDATA} sdwan_route_id_reply=%{NUMBER:sdwan_route_id_reply} %{GREEDYDATA}"
333+
]
334+
}
335+
}
336+
grok {
337+
match => {
338+
"msg" => [
339+
"%{GREEDYDATA} sdwan_route_name_reply=%{QUOTEDSTRING:sdwan_route_name_reply} %{GREEDYDATA}"
340+
]
341+
}
342+
}
230343
#1.3.7
231344
grok {
232345
match => {
233346
"msg" => [
234-
"%{GREEDYDATA} dst_mac=%{QUOTEDSTRING:dst_mac} %{GREEDYDATA}"
347+
"%{GREEDYDATA} dst_mac=%{DATA:dst_mac} %{GREEDYDATA}"
235348
]
236349
}
237350
}
@@ -305,7 +418,7 @@ filter {
305418
grok {
306419
match => {
307420
"msg" => [
308-
"%{GREEDYDATA} src_mac=%{QUOTEDSTRING:src_mac} %{GREEDYDATA}"
421+
"%{GREEDYDATA} src_mac=%{DATA:src_mac} %{GREEDYDATA}"
309422
]
310423
}
311424
}
@@ -534,6 +647,17 @@ filter {
534647
#1.3.7
535648
gsub => ["dst_mac", '"', ""]
536649

650+
#New XGS fields
651+
gsub => ["fw_rule_name", '"', ""]
652+
gsub => ["fw_rule_section", '"', ""]
653+
gsub => ["nat_rule_name", '"', ""]
654+
gsub => ["sdwan_profile_name_request", '"', ""]
655+
gsub => ["sdwan_profile_name_reply", '"', ""]
656+
gsub => ["gw_name_request", '"', ""]
657+
gsub => ["gw_name_reply", '"', ""]
658+
gsub => ["sdwan_route_name_request", '"', ""]
659+
gsub => ["sdwan_route_name_reply", '"', ""]
660+
537661
#New fields from Content Filtering log_type
538662
gsub => ["category", '"', ""]
539663
gsub => ["category_type", '"', ""]
@@ -794,6 +918,23 @@ filter {
794918
#1.3.7
795919
rename => { "[dst_mac]" => "[logx][sophos][dst_mac]" }
796920

921+
#New XGS fields
922+
rename => { "[fw_rule_name]" => "[logx][sophos][fw_rule_name]" }
923+
rename => { "[fw_rule_section]" => "[logx][sophos][fw_rule_section]" }
924+
rename => { "[nat_rule_name]" => "[logx][sophos][nat_rule_name]" }
925+
rename => { "[sdwan_profile_id_request]" => "[logx][sophos][sdwan_profile_id_request]" }
926+
rename => { "[sdwan_profile_name_request]" => "[logx][sophos][sdwan_profile_name_request]" }
927+
rename => { "[sdwan_profile_id_reply]" => "[logx][sophos][sdwan_profile_id_reply]" }
928+
rename => { "[sdwan_profile_name_reply]" => "[logx][sophos][sdwan_profile_name_reply]" }
929+
rename => { "[gw_id_request]" => "[logx][sophos][gw_id_request]" }
930+
rename => { "[gw_name_request]" => "[logx][sophos][gw_name_request]" }
931+
rename => { "[gw_id_reply]" => "[logx][sophos][gw_id_reply]" }
932+
rename => { "[gw_name_reply]" => "[logx][sophos][gw_name_reply]" }
933+
rename => { "[sdwan_route_id_request]" => "[logx][sophos][sdwan_route_id_request]" }
934+
rename => { "[sdwan_route_name_request]" => "[logx][sophos][sdwan_route_name_request]" }
935+
rename => { "[sdwan_route_id_reply]" => "[logx][sophos][sdwan_route_id_reply]" }
936+
rename => { "[sdwan_route_name_reply]" => "[logx][sophos][sdwan_route_name_reply]" }
937+
797938
#New fields from Content Filtering log_type
798939
rename => { "[category]" => "[logx][sophos][category]" }
799940
rename => { "[category_type]" => "[logx][sophos][category_type]" }

0 commit comments

Comments
 (0)