diff --git a/filters/sophos/sophos_xg_firewall.conf b/filters/sophos/sophos_xg_firewall.conf index c51834263..da1ac71a4 100644 --- a/filters/sophos/sophos_xg_firewall.conf +++ b/filters/sophos/sophos_xg_firewall.conf @@ -1,6 +1,6 @@ filter { -# Sophos filter version 2.0.1 +# Sophos filter version 2.1.0 # Based on https://docs.sophos.com/nsg/sophos-firewall/17.5/PDF/SFOS_Logfile_Guide_17.5.pdf # and https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf # and https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html @@ -42,6 +42,7 @@ filter { gsub => ["device_name", '"', ""] gsub => ["log_type", '"', ""] gsub => ["log_component", '"', ""] + gsub => ["log_id", '"', ""] } if [log_type] and ([log_type] == "Firewall" or [log_type] == "Content Filtering" or [log_type] == "Event" or [log_type] == "WAF" or [log_type] == "System Health" or [log_type] == "IDP" @@ -133,7 +134,7 @@ filter { } } - if [logx][sophos][device] and [logx][sophos][device] == "SFW" { + if [logx][sophos][device] { if [msg] { #Fields from Firewall log_type grok { @@ -227,11 +228,123 @@ filter { ] } } + # New XGS fields - Firewall rules + grok { + match => { + "msg" => [ + "%{GREEDYDATA} fw_rule_name=%{QUOTEDSTRING:fw_rule_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} fw_rule_section=%{QUOTEDSTRING:fw_rule_section} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} nat_rule_name=%{QUOTEDSTRING:nat_rule_name} %{GREEDYDATA}" + ] + } + } + # New XGS fields - SD-WAN profile request + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_profile_id_request=%{NUMBER:sdwan_profile_id_request} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_profile_name_request=%{QUOTEDSTRING:sdwan_profile_name_request} %{GREEDYDATA}" + ] + } + } + # New XGS fields - SD-WAN profile reply + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_profile_id_reply=%{NUMBER:sdwan_profile_id_reply} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_profile_name_reply=%{QUOTEDSTRING:sdwan_profile_name_reply} %{GREEDYDATA}" + ] + } + } + # New XGS fields - Gateway request + grok { + match => { + "msg" => [ + "%{GREEDYDATA} gw_id_request=%{NUMBER:gw_id_request} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} gw_name_request=%{QUOTEDSTRING:gw_name_request} %{GREEDYDATA}" + ] + } + } + # New XGS fields - Gateway reply + grok { + match => { + "msg" => [ + "%{GREEDYDATA} gw_id_reply=%{NUMBER:gw_id_reply} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} gw_name_reply=%{QUOTEDSTRING:gw_name_reply} %{GREEDYDATA}" + ] + } + } + # New XGS fields - SD-WAN route request + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_route_id_request=%{NUMBER:sdwan_route_id_request} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_route_name_request=%{QUOTEDSTRING:sdwan_route_name_request} %{GREEDYDATA}" + ] + } + } + # New XGS fields - SD-WAN route reply + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_route_id_reply=%{NUMBER:sdwan_route_id_reply} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} sdwan_route_name_reply=%{QUOTEDSTRING:sdwan_route_name_reply} %{GREEDYDATA}" + ] + } + } #1.3.7 grok { match => { "msg" => [ - "%{GREEDYDATA} dst_mac=%{QUOTEDSTRING:dst_mac} %{GREEDYDATA}" + "%{GREEDYDATA} dst_mac=%{DATA:dst_mac} %{GREEDYDATA}" ] } } @@ -305,7 +418,7 @@ filter { grok { match => { "msg" => [ - "%{GREEDYDATA} src_mac=%{QUOTEDSTRING:src_mac} %{GREEDYDATA}" + "%{GREEDYDATA} src_mac=%{DATA:src_mac} %{GREEDYDATA}" ] } } @@ -534,6 +647,17 @@ filter { #1.3.7 gsub => ["dst_mac", '"', ""] + #New XGS fields + gsub => ["fw_rule_name", '"', ""] + gsub => ["fw_rule_section", '"', ""] + gsub => ["nat_rule_name", '"', ""] + gsub => ["sdwan_profile_name_request", '"', ""] + gsub => ["sdwan_profile_name_reply", '"', ""] + gsub => ["gw_name_request", '"', ""] + gsub => ["gw_name_reply", '"', ""] + gsub => ["sdwan_route_name_request", '"', ""] + gsub => ["sdwan_route_name_reply", '"', ""] + #New fields from Content Filtering log_type gsub => ["category", '"', ""] gsub => ["category_type", '"', ""] @@ -794,6 +918,23 @@ filter { #1.3.7 rename => { "[dst_mac]" => "[logx][sophos][dst_mac]" } + #New XGS fields + rename => { "[fw_rule_name]" => "[logx][sophos][fw_rule_name]" } + rename => { "[fw_rule_section]" => "[logx][sophos][fw_rule_section]" } + rename => { "[nat_rule_name]" => "[logx][sophos][nat_rule_name]" } + rename => { "[sdwan_profile_id_request]" => "[logx][sophos][sdwan_profile_id_request]" } + rename => { "[sdwan_profile_name_request]" => "[logx][sophos][sdwan_profile_name_request]" } + rename => { "[sdwan_profile_id_reply]" => "[logx][sophos][sdwan_profile_id_reply]" } + rename => { "[sdwan_profile_name_reply]" => "[logx][sophos][sdwan_profile_name_reply]" } + rename => { "[gw_id_request]" => "[logx][sophos][gw_id_request]" } + rename => { "[gw_name_request]" => "[logx][sophos][gw_name_request]" } + rename => { "[gw_id_reply]" => "[logx][sophos][gw_id_reply]" } + rename => { "[gw_name_reply]" => "[logx][sophos][gw_name_reply]" } + rename => { "[sdwan_route_id_request]" => "[logx][sophos][sdwan_route_id_request]" } + rename => { "[sdwan_route_name_request]" => "[logx][sophos][sdwan_route_name_request]" } + rename => { "[sdwan_route_id_reply]" => "[logx][sophos][sdwan_route_id_reply]" } + rename => { "[sdwan_route_name_reply]" => "[logx][sophos][sdwan_route_name_reply]" } + #New fields from Content Filtering log_type rename => { "[category]" => "[logx][sophos][category]" } rename => { "[category_type]" => "[logx][sophos][category_type]" }