Collect Sophos UTM logs

Supported in:

This document describes how you can collect Sophos UTM logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the SOPHOS_UTM ingestion label.

Configure Sophos UTM point

  1. Sign in to the Sophos UTM console using administrator credentials.
  2. Select Logging & reporting > Log settings. The Local logging tab is enabled by default.
  3. Click the Remote syslog server tab.
  4. Click the toggle button to enable the Remote syslog server tab.

  5. In the Remote syslog settings section, in the Syslog servers field, add or modify the syslog server settings:

    • To add the Syslog server settings, click + Add syslog server.

      In the Add syslog server dialog, do the following:

      1. In the Name field, enter the syslog server name.
      2. In the Server field, enter the syslog server details.
      3. In the Port field, enter the syslog server port details.
      4. Click Save.

    • To modify the Syslog server settings, click Edit, and then update the settings.

  6. In the Remote syslog buffer field, enter the default value, such as 1000.

  7. In the Remote syslog log selection section, select the following logs that must be sent to the remote syslog server:

    • Advanced threat protection
    • Configuration daemon
    • Firewall
    • Intrusion prevention system
    • Local logins
    • Logging subsystem
    • System messages
    • User authentication daemon
    • Web filtering

  8. Click Apply to save the changes.

Configure Google Security Operations forwarder to ingest Sophos UTM logs

  1. Go to SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder Name field, enter a unique name for the forwarder.
  4. Click Submit. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a name.
  6. Select Sophos UTM as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following mandatory input parameters:
    • Protocol: specify the connection protocol the collector will use to listen for syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation.

For information about requirements for each forwarder type, see Forwarder configuration by type.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This Sophos UTM parser extracts key-value pairs and other fields from Sophos UTM firewall logs, converting them into UDM format. It handles various log types, including firewall events, DHCP events, and user login/logout events, mapping relevant fields to their corresponding UDM counterparts and enriching the data with additional context.

UDM Mapping Table

Log Field UDM Mapping Logic
action security_result.action If action is "pass" or "accept", map to "ALLOW". If action is "drop", map to "BLOCK".
ad_domain target.administrative_domain Direct mapping.
address target.ip, target.asset.ip Direct mapping, used when id is "2203".
app target.application Direct mapping.
app-id additional.fields[].key, additional.fields[].value.string_value Renamed to app_id. If not empty, the key is set to "app-id" and the value is the app-id itself.
application principal.application Direct mapping.
aptptime additional.fields[].key, additional.fields[].value.string_value If not empty, the key is set to "aptptime" and the value is the aptptime itself.
auth extensions.auth.auth_details Direct mapping.
authtime additional.fields[].key, additional.fields[].value.string_value If not empty and not "0", the key is set to "authtime" and the value is the authtime itself.
avscantime additional.fields[].key, additional.fields[].value.string_value If not empty and not "0", the key is set to "avscantime" and the value is the avscantime itself.
category security_result.detection_fields[].key, security_result.detection_fields[].value If not empty, the key is set to "category" and the value is the category itself. If name contains "portscan", security_result.category is set to "NETWORK_RECON" and a detection field with key "category" and value "NETWORK_RECON" is added.
categoryname security_result.category_details Direct mapping.
connection security_result.rule_name Direct mapping, used when id is "2203".
content-type data (See other fields) The data field contains key-value pairs that are parsed into individual fields.
datetime metadata.event_timestamp Parsed and mapped as seconds since epoch.
device additional.fields[].key, additional.fields[].value.string_value If not empty and not "0", the key is set to "device" and the value is the device itself.
dnstime additional.fields[].key, additional.fields[].value.string_value If not empty and not "0", the key is set to "dnstime" and the value is the dnstime itself.
dstip target.ip, target.asset.ip Direct mapping. Also extracted from the url field if present.
dstmac target.mac Direct mapping.
dstport target.port Direct mapping, converted to integer.
error event security_result.summary Direct mapping, used when id is "2201", "2202", or "2203".
exceptions additional.fields[].key, additional.fields[].value.string_value If not empty, the key is set to "exceptions" and the value is the exceptions itself.
file about.file.full_path Direct mapping.
filteraction security_result.rule_name Direct mapping.
fullreqtime additional.fields[].key, additional.fields[].value.string_value If not empty, the key is set to "fullreqtime" and the value is the fullreqtime itself.
fwrule security_result.rule_id Direct mapping.
group target.group.group_display_name Direct mapping.
id metadata.product_log_id Direct mapping.
info security_result.description Direct mapping. If present, metadata.event_type is set to "NETWORK_UNCATEGORIZED".
initf interface security_result.about.labels[].key, security_result.about.labels[].value If not empty, a label with key "Interface" and value interface is added to security_result.about.labels.
ip_address target.ip, target.asset.ip Direct mapping.
length line message security_result.summary Used when id is "0003". Also used for general grok parsing.
method network.http.method Direct mapping.
name security_result.summary Direct mapping.
outitf pid target.process.pid Direct mapping.
port target.port Direct mapping, converted to integer.
prec profile security_result.rule_name Direct mapping.
proto network.ip_protocol Converted to IP protocol name using a lookup table.
reason referer network.http.referral_url Direct mapping.
request additional.fields[].key, additional.fields[].value.string_value If not empty, the key is set to "request" and the value is the request itself.
reputation additional.fields[].key, additional.fields[].value.string_value If not empty, the key is set to "reputation" and the value is the reputation itself.
rx network.received_bytes Direct mapping, used when id is "2202", converted to unsigned integer.
sandbox severity security_result.severity If severity is "info", map to "LOW".
size target.file.size Direct mapping, converted to unsigned integer.
srcip principal.ip, principal.asset.ip Direct mapping.
srcmac principal.mac Direct mapping.
srcport principal.port Direct mapping, converted to integer.
statuscode network.http.response_code Direct mapping, converted to integer.
sub network.application_protocol If sub is "http", the metadata.event_type is set to "NETWORK_HTTP" and network.application_protocol is set to "HTTP". If sub is "packetfilter", metadata.description is set to sub. Otherwise, converted to application protocol name using a lookup table. If no match is found in the lookup table, the dstport is used for the lookup.
sys metadata.product_event_type Direct mapping.
tcpflags tos ttl tx network.sent_bytes Direct mapping, used when id is "2202", converted to unsigned integer.
ua network.http.user_agent Direct mapping.
url network.http.referral_url, target.hostname, target.asset.hostname Direct mapping for network.http.referral_url. Extracted hostname for target.hostname and target.asset.hostname. Also used to extract dstip.
user target.user.userid Direct mapping.
username target.user.userid Direct mapping, used when id is "2201" or "2202".
variant Not included in final UDM, but used in description Used in conjunction with sub to create the security_result.description when id is "2201", "2202", or "2203".
virtual_ip target.ip, target.asset.ip Direct mapping, used when id is "2201" or "2202".
metadata.event_type metadata.event_type Initialized to "GENERIC_EVENT". Set to specific values based on log content and parser logic.
metadata.log_type metadata.log_type Hardcoded to "SOPHOS_UTM".
metadata.product_name metadata.product_name Hardcoded to "SOPHOS UTM".
metadata.vendor_name metadata.vendor_name Hardcoded to "SOPHOS Ltd".
intermediary.hostname intermediary.hostname Extracted from the log message using grok and renamed.

Changes

2024-05-29

  • Enhancement -
  • Mapped "url" to "target.hostname" and "target.asset.hostname".

2022-06-30

  • Enhancement -
  • Mapped "size" to "additional.fields".
  • Mapped "fullreqtime" to "additional.fields".
  • Mapped "category" to "security_result.detection_fields".
  • Mapped "device" to "additional.fields".
  • Mapped "exceptions" to "additional.fields".
  • When "action" is equal to "DROP" then Mapped "security_result.action" to "BLOCK".
  • Mapped "inter_host" to "intermediary.hostname".

2022-04-13

  • Enhancement - Added mappings for following fields:
  • 'categoryname' to 'security_result.category_details'.
  • 'user' to 'target.user.userid'
  • 'ad_domain' to 'target.administrative_domain'
  • 'group' to 'target.group.group_display_name'
  • 'sys' to 'metadata.product_event_type'
  • 'application' to 'principal.application'
  • 'auth' to 'extensions.auth.auth_details'
  • 'profile' to 'security_result1.rule_name'
  • 'app-id', 'reputation', 'request', 'authtime', 'dnstime', 'aptptime', 'cattime', 'avscantime' to 'additional.fields'