The tags beginning with firewall.sophos.xgfirewall identify log events generated by the Sophos XG Firewalls.
The events should be forwarded to a Devo Relay within the same secure network as the XG Firewall to be identified, tagged, and forwarded securely to the Devo Cloud. This is done by setting up the Devo Relay as a remote syslog server in Sophos.
For information about sending events to Devo from Sophos UTM, see the firewall.sophos article.
The full tag must have at least four levels. The first three are fixed as firewall.sophos.xgfirewall. The fourth level identifies the log type and must be one of contentfiltering, event, firewall, systemhealth, or wirelessprotection.
Therefore, the valid tags include:
The associated events will be saved in Devo in tables of the same names. In addition, a union table called firewall.sophos.xgfirewall will contain all of the events in the other tables.
For more information, read more about Devo tags.
Set up the Devo Relay rule
You will need to set up a type 4 relay rule that can identify the event's type by the source port that it was received on and by event content captured using a regular expression. The content captured is then used to build the correct Devo tag.
In Devo, go to Administration → Relays and select the relay to which you want to forward the events.
The relay must reside within the same secure network as your XG Firewall.
Click Add Rule. Enter the following details to set up the rule:
- Source Port → 13010 (the port number can be any free port on your relay)
- Source Data → log_type=\"([\w]+)\s*([\w]*)\"
- Target Tag → firewall.sophos.xgfirewall.\\D1.\\D2
- Select the Stop Processing and Sent without syslog tag checkboxes
Click Add Rule.
Forward the events from XG Firewall to the Devo relay
With the relay ready to receive and process the XG Firewall events, you can start to forward them. To do so, set up your Devo Relay as a syslog server in XG Firewall.
Check out this Sophos Knowledge base article for instructions. Just be sure to:
- Specify the correct IP address of the Devo relay and the same port on which you added the relay rule.
- Specify which logs you want to output to syslog in System Services → Log Settings.