Sophos
Background
The Sophos analysis App automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze network and firewall generated data. Use a predefined set of dashboards and widgets to visualize and address the IP's distribution, traffic behavior, interfaces utilization and possible viruses within the network. This logs analysis App helps measure, troubleshoot, and optimize your network integrity, stability and quality with the several visualization and investigation dashboards.
Steps:
The Sophos logging application is based on the logging from the Sophos console log.
For enabling the application on the XpoLog software, please do the follows:
Create a TCP\UDP listener in your XpoLog environment.
Enter to your Sophos console and direct it to sent the logs as syslog to the relevant listener which was configured in the previous section.
When adding/editing the Sophos log to XpoLog, it is mandatory to apply the correct log types:syslog, firewall, sophos
Once the required information is set, edit the log pattern, this step is crucial to the accuracy and deployment of the Sophos App. Use the following patterns for each of the logs:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Message_Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{properties:Record,keysSep==;propSep=space;,device#_#ftype=device#_#name=Device;date#_#ftype=date#_#name=Date;time#_#ftype=time#_#name=Time;timezone#_#ftype=timezone#_#name=Timezone;device_name#_#ftype=devname#_#name=Device_Name;device_id#_#ftype=devid#_#name=Device_ID;log_id#_#ftype=logid#_#name=Log_ID;log_type#_#ftype=type#_#name=Log_Type;log_component#_#ftype=component#_#name=Log_Component;log_subtype#_#ftype=subtype#_#name=Log_Subtype;status#_#ftype=status#_#name=Status;priority#_#ftype=priority#_#name=Priority;duration#_#ftype=duration#_#name=Duration;fw_rule_id#_#ftype=fwruleid#_#name=FW_rule_id;policy_type#_#ftype=policytype#_#name=Policy_type;user_name#_#ftype=username#_#name=Username;user_gp#_#ftype=usergroup#_#name=User_gp;iap#_#ftype=iap#_#name=iap;ips_policy_id#_#ftype=ips_policy_id#_#name=ips_policy_id;appfilter_policy_id#_#ftype=appfilter_policy_id#_#name=appfilter_policy_id;application#_#ftype=app#_#name=Application;application_risk#_#ftype=apprisk#_#name=Application_risk;application_technology#_#ftype=apptech#_#name=Application_technology;application_category#_#ftype=appcat#_#name=Application_category;in_interface#_#ftype=srcintf#_#name=in_interface;out_interface#_#ftype=dstintf#_#name=out_interface;src_mac#_#ftype=srcmac#_#name=Src_mac;src_ip|sourceip#_#ftype=sourceip#_#name=SRC-IP;src_country_code#_#ftype=srccountry#_#name=SrcCountry_code;dst_ip|destinationip#_#ftype=targetip#_#name=DST-IP;dst_country_code#_#ftype=dstcountry#_#name=DstCountry_code;protocol#_#ftype=proto#_#name=Protocol;src_port#_#ftype=sourceport#_#name=SRC-Port;dst_port#_#ftype=targetport#_#name=DST-Port;sent_pkts#_#ftype=sentpkt#_#name=Sent_pkts;recv_pkts#_#ftype=rcvdpkt#_#name=Recv_pkts;sent_bytes#_#ftype=bytessent#_#name=Sent_Bytes;recv_bytes#_#ftype=bytesreceived#_#name=Recv_Bytes;tran_src_ip#_#ftype=transrcip#_#name=Tran_src_ip;tran_src_port#_#ftype=transrcip#_#name=Tran_src_port;tran_dst_ip#_#ftype=trandstip#_#name=Tran_dst_ip;tran_dst_port#_#ftype=trandstip#_#name=Tran_dst_port;srczonetype#_#ftype=srczonetype#_#name=srczonetype;srczone#_#ftype=srczone#_#name=srczone;dstzonetype#_#ftype=dstzonetype#_#name=dstzonetype;dstzone#_#ftype=dstzone#_#name=dstzone;dir_disp#_#ftype=dirdisp#_#name=dir_disp;connevent#_#ftype=connevent#_#name=Connevent;connid#_#ftype=connid#_#name=connid;vconnid#_#ftype=vconnid#_#name=vconnid;hb_health#_#ftype=hb_health#_#name=HB_health;message#_#ftype=message#_#name=Message;appresolvedby#_#ftype=appresolvedby#_#name=Appresolvedby;category#_#ftype=category#_#name=Category;category_type#_#ftype=appcattype#_#name=Category_type;url#_#ftype=requrl#_#name=URL;contenttype#_#ftype=contenttype#_#name=contenttype;override_token#_#ftype=overridetoken#_#name=override_token;httpresponsecode#_#ftype=httpresponsecode#_#name=httpresponsecode;domain#_#ftype=domain#_#name=Domain;exceptions#_#ftype=exceptions#_#name=Exceptions;activityname#_#ftype=activityname#_#name=Activityname;reason#_#ftype=reason#_#name=Reason;user_agent#_#ftype=useragent#_#name=User_Agent;status_code#_#ftype=respstatus#_#name=Status_code;transactionid#_#ftype=transactionid#_#name=transactionid;referer#_#ftype=referer#_#name=Referer;icmp_type#_#ftype=icmptype#_#name=icmp_type;icmp_code#_#ftype=icmpcode#_#name=icmp_type;version#_#ftype=version#_#name=Version;culture#_#ftype=culture#_#name=Culture;publickeytoken#_#ftype=publickeytoken#_#name=publickeytoken;publickeytoken#_#ftype=publickeytoken#_#name=publickeytoken;application_filter_policy#_#ftype=appfilter#_#name=Application_filter_policy;application_name#_#ftype=appname#_#name=Application_name;threatname#_#ftype=threatname#_#name=threatname;eventid#_#ftype=eventid#_#name=eventid;eventtype#_#ftype=eventtype#_#name=EventType;login_user#_#ftype=loginuser#_#name=loginuser;process_user#_#ftype=processuser#_#name=processuser;ep_uuid#_#ftype=epuuid#_#name=ep_uuid;execution_path#_#ftype=executionpath#_#name=execution_path;}