The Sophos firewall logs are labeled with the firewall.sophos.type.subtype tag.

Tag structure

  • The elements type and subtype are fixed and they identify the type and format of the sent event.
  • These elements can have one of the following values (corresponding to the different log types):
    • firewall.sophos.general.system
    • firewall.sophos.securemail.smtp
    • firewall.sophos.securenet.ips
    • firewall.sophos.securenet.packetfilter
    • firewall.sophos.secureweb.http
    • firewall.sophos.system.auth
    • firewall.sophos.system.confd
    • firewall.sophos.system.eplog
    • firewall.sophos.system.epsecd
    • firewall.sophos.system.up2date

For more information on how tags work, please check Introduction to tags article.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of the logs.

Then you should define a new rule where all the events coming to the port (eg. port 13003/tedp) are tagged as firewall.sophos.type.subtype.

  • This rule should also cover the adding of the corresponding type.subtype to the firewall.sophos depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event. 

You must consider the following fields when creating the new rule.

  • First rule
    • port → 13003
    • source Data → sys=\"([^\"]+)\" sub=\"([^\"]+)\"
    • target Tag → firewall.sophos.\\D1.\\D2
    • target Message → \\D0
    • Check the following boxes:
      • Stop processing 
      • Send without tag 

  • Second rule
    • port → 13003
    • targetTag → firewall.sophos.general.system
    • Check the following box:
      • Send without tag

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.