splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
New log parser Sophos Firewall
Please add a new log parser for Sophos Firewall data.
TA: https://splunkbase.splunk.com/app/6187/ Sourcetypes:
- sophos:xg:firewall
- sophos:xg:anti_virus
- sophos:xg:content_filtering
- sophos:xg:system_health
- sophos:xg:event
- sophos:xg:anti_spam
- sophos:xg:sandbox
<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4203AY8GXPYJ21 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=25 fw_rule_id=2 nat_rule_id=0 policy_type=1 user_name="" user_gp="" iap=15 ips_policy_id=1 appfilter_policy_id=0 application="Secure Socket Layer Protocol" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac=00:56:2B:8B:10:70 dst_mac=00:EA:BD:05:39:BD src_ip=172.24.96.104 src_country_code=R1 dst_ip=65.23.17.9 dst_country_code=USA protocol="TCP" src_port=59163 dst_port=443 sent_pkts=7 recv_pkts=7 sent_bytes=883 recv_bytes=4720 tran_src_ip= tran_src_port=0 tran_dst_ip=172.24.99.169 tran_dst_port=3128 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1952866304" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4203AY8GXPYJ21 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=136 fw_rule_id=2 nat_rule_id=0 policy_type=1 user_name="" user_gp="" iap=15 ips_policy_id=1 appfilter_policy_id=0 application="MSN" application_risk=3 application_technology="Browser Based" application_category="General Internet" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac=00:56:2B:8B:10:70 dst_mac=00:EA:BD:05:39:BD src_ip=10.41.254.203 src_country_code=R1 dst_ip=205.39.17.23 dst_country_code=USA protocol="TCP" src_port=59932 dst_port=443 sent_pkts=18 recv_pkts=16 sent_bytes=2422 recv_bytes=9586 tran_src_ip= tran_src_port=0 tran_dst_ip=172.24.99.169 tran_dst_port=3128 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2108879552" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4207AY8QXPYJ2E log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=15 category="Search Engines" category_type="Acceptable" url="https://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.1.24.13 dst_ip=216.239.38.120 protocol="TCP" src_port=58562 dst_port=443 sent_bytes=591 recv_bytes=4428 domain=www.google.com exceptions= activityname="" reason="" user_agent="" status_code="200" transactionid= referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=2491244032 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"
@rjha-splunk Here is sample parser we came up with for Sophos logs if this helps. Apologies on not having more sample logs, being that this is firewall it gets large very quickly before more sourcetypes come in.
# Sophos Firewall XG Parser
block parser sophos_firewall_xg-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index('firewall')
sourcetype('sophos:xg:logs')
vendor('sophos')
product('xg')
class('logs')
template('t_msg_only')
);
};
# ATP
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:atp')
class('atp')
condition(message('log_type="ATP"' type(string) flags(substring)))
);
};
# Anti Spam
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:anti_spam')
class('anti_spam')
condition(message('log_type="Anti-Spam"' type(string) flags(substring)))
);
};
# Anti Virus
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:anti_virus')
class('anti_virus')
condition(message('log_type="Anti-Virus"' type(string) flags(substring)))
);
};
# Content Filtering
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:content_filtering')
class('content_filtering')
condition(message('log_type="Content Filtering"' type(string) flags(substring)))
);
};
# Event
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:event')
class('event')
condition(message('log_type="Event"' type(string) flags(substring)))
);
};
# Firewall
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:firewall')
class('firewall')
condition(message('log_type="Firewall"' type(string) flags(substring)))
);
};
# SSL
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:ssl')
class('ssl')
condition(message('log_type="SSL"' type(string) flags(substring)))
);
};
# Sandbox
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:sandbox')
class('sandbox')
condition(message('log_type="Sandbox"' type(string) flags(substring)))
);
};
# System Health
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:system_health')
class('system_health')
condition(message('log_type="System Health"' type(string) flags(substring)))
);
};
# Heartbeat
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:heartbeat')
class('heartbeat')
condition(message('log_type="Heartbeat"' type(string) flags(substring)))
);
};
# WAF
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:waf')
class('waf')
condition(message('log_type="WAF"' type(string) flags(substring)))
);
};
# Wireless Protection
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:wireless_protection')
class('wireless_protection')
condition(message('log_type="Wireless Protection"' type(string) flags(substring)))
);
};
# IDP
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('sophos:xg:idp')
class('idp')
condition(message('log_type="IDP"' type(string) flags(substring)))
);
};
};
};
application sophos_firewall_xg[sc4s-syslog] {
filter {
(
message("device=\"SFW\"" type(string) flags(substring)) and
message("log_type=" type(string) flags(substring))
)
;
};
parser { sophos_firewall_xg-parser(); };
};
Thank you so much for providing it , i will write a test case and release it post analysis this week, FYI @nandinivij @mkarlstrand-splunk @satellite-no
