New log parser Sophos Firewall

Please add a new log parser for Sophos Firewall data.

TA: https://splunkbase.splunk.com/app/6187/ Sourcetypes:

sophos:xg:firewall
sophos:xg:anti_virus
sophos:xg:content_filtering
sophos:xg:system_health
sophos:xg:event
sophos:xg:anti_spam
sophos:xg:sandbox

<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4203AY8GXPYJ21 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=25 fw_rule_id=2 nat_rule_id=0 policy_type=1 user_name="" user_gp="" iap=15 ips_policy_id=1 appfilter_policy_id=0 application="Secure Socket Layer Protocol" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac=00:56:2B:8B:10:70 dst_mac=00:EA:BD:05:39:BD src_ip=172.24.96.104 src_country_code=R1 dst_ip=65.23.17.9 dst_country_code=USA protocol="TCP" src_port=59163 dst_port=443 sent_pkts=7  recv_pkts=7 sent_bytes=883 recv_bytes=4720 tran_src_ip= tran_src_port=0 tran_dst_ip=172.24.99.169 tran_dst_port=3128 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1952866304" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4203AY8GXPYJ21 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=136 fw_rule_id=2 nat_rule_id=0 policy_type=1 user_name="" user_gp="" iap=15 ips_policy_id=1 appfilter_policy_id=0 application="MSN" application_risk=3 application_technology="Browser Based" application_category="General Internet" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac=00:56:2B:8B:10:70 dst_mac=00:EA:BD:05:39:BD src_ip=10.41.254.203 src_country_code=R1 dst_ip=205.39.17.23 dst_country_code=USA protocol="TCP" src_port=59932 dst_port=443 sent_pkts=18  recv_pkts=16 sent_bytes=2422 recv_bytes=9586 tran_src_ip= tran_src_port=0 tran_dst_ip=172.24.99.169 tran_dst_port=3128 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2108879552" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
<30>device="SFW" date=2022-04-25 time=15:27:08 timezone="CDT" device_name="XG430" device_id=C4207AY8QXPYJ2E log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=15 category="Search Engines" category_type="Acceptable" url="https://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.1.24.13 dst_ip=216.239.38.120 protocol="TCP" src_port=58562 dst_port=443 sent_bytes=591 recv_bytes=4428 domain=www.google.com exceptions= activityname="" reason="" user_agent="" status_code="200" transactionid= referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=2491244032 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"

@rjha-splunk Here is sample parser we came up with for Sophos logs if this helps. Apologies on not having more sample logs, being that this is firewall it gets large very quickly before more sourcetypes come in.

# Sophos Firewall XG Parser

block parser sophos_firewall_xg-parser() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index('firewall')
                sourcetype('sophos:xg:logs')
                vendor('sophos')
                product('xg')
                class('logs')
                template('t_msg_only')
            );
        };
# ATP
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:atp')
                    class('atp')
                    condition(message('log_type="ATP"' type(string) flags(substring)))
                );
            };
# Anti Spam
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:anti_spam')
                    class('anti_spam')
                    condition(message('log_type="Anti-Spam"' type(string) flags(substring)))
                );
            };
# Anti Virus
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:anti_virus')
                    class('anti_virus')
                    condition(message('log_type="Anti-Virus"' type(string) flags(substring)))
                );
            };
# Content Filtering
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:content_filtering')
                    class('content_filtering')
                    condition(message('log_type="Content Filtering"' type(string) flags(substring)))
                );
            };
# Event
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:event')
                    class('event')
                    condition(message('log_type="Event"' type(string) flags(substring)))
                );
            };
# Firewall
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:firewall')
                    class('firewall')
                    condition(message('log_type="Firewall"' type(string) flags(substring)))
                );
            };
# SSL
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:ssl')
                    class('ssl')
                    condition(message('log_type="SSL"' type(string) flags(substring)))
                );
            };
# Sandbox
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:sandbox')
                    class('sandbox')
                    condition(message('log_type="Sandbox"' type(string) flags(substring)))
                );
            };
# System Health
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:system_health')
                    class('system_health')
                    condition(message('log_type="System Health"' type(string) flags(substring)))
                );
            };
# Heartbeat
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:heartbeat')
                    class('heartbeat')
                    condition(message('log_type="Heartbeat"' type(string) flags(substring)))
                );
            };
# WAF
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:waf')
                    class('waf')
                    condition(message('log_type="WAF"' type(string) flags(substring)))
                );
            };
# Wireless Protection
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:wireless_protection')
                    class('wireless_protection')
                    condition(message('log_type="Wireless Protection"' type(string) flags(substring)))
                );
            };
# IDP
            rewrite {
                r_set_splunk_dest_update_v2(
                    sourcetype('sophos:xg:idp')
                    class('idp')
                    condition(message('log_type="IDP"' type(string) flags(substring)))
                );
            };
   };
};

application sophos_firewall_xg[sc4s-syslog] {
    filter {
        (
            message("device=\"SFW\"" type(string) flags(substring)) and
            message("log_type=" type(string) flags(substring))
        )
        ;
    };
        parser { sophos_firewall_xg-parser(); };
};

Thank you so much for providing it , i will write a test case and release it post analysis this week, FYI @nandinivij @mkarlstrand-splunk @satellite-no

splunk / splunk-connect-for-syslog

New log parser Sophos Firewall #1665