Collect Sophos UTM logs
Supported in:
This document describes how you can collect Sophos UTM logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations .
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the SOPHOS_UTM
ingestion label.
Configure Sophos UTM point
- Sign in to the Sophos UTM console using administrator credentials.
- Select Logging & reporting > Log settings. The Local loggingtab is enabled by default.
- Click the Remote syslog servertab.
- Click the toggle button to enable the Remote syslog servertab.
-
In the Remote syslog settingssection, in the Syslog serversfield, add or modify the syslog server settings:
-
To add the Syslog serversettings, click + Add syslog server.
In the Add syslog serverdialog, do the following:
- In the Namefield, enter the syslog server name.
- In the Serverfield, enter the syslog server details.
- In the Portfield, enter the syslog server port details.
- Click Save.
-
To modify the Syslog serversettings, click Edit, and then update the settings.
-
-
In the Remote syslog bufferfield, enter the default value, such as 1000.
-
In the Remote syslog log selectionsection, select the following logs that must be sent to the remote syslog server:
- Advanced threat protection
- Configuration daemon
- Firewall
- Intrusion prevention system
- Local logins
- Logging subsystem
- System messages
- User authentication daemon
- Web filtering
-
Click Applyto save the changes.
Configure Google Security Operations forwarder to ingest Sophos UTM logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Namefield, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configurationwindow appears.
- In the Collector namefield, type a name.
- Select Sophos UTMas the Log type.
- Select Syslogas the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the connection protocol the collector will use to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation .
For information about requirements for each forwarder type, see Forwarder configuration by type .
If you encounter issues when you create forwarders, contact Google Security Operations support .
Field mapping reference
This Sophos UTM parser extracts key-value pairs and other fields from Sophos UTM firewall logs, converting them into UDM format. It handles various log types, including firewall events, DHCP events, and user login/logout events, mapping relevant fields to their corresponding UDM counterparts and enriching the data with additional context.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
action
|
security_result.action
|
If action
is "pass" or "accept", map to "ALLOW". If action
is "drop", map to "BLOCK". |
|
ad_domain
|
target.administrative_domain
|
Direct mapping. |
|
address
|
target.ip
, target.asset.ip
|
Direct mapping, used when id
is "2203". |
|
app
|
target.application
|
Direct mapping. |
|
app-id
|
additional.fields[].key
, additional.fields[].value.string_value
|
Renamed to app_id
. If not empty, the key is set to "app-id" and the value is the app-id
itself. |
|
application
|
principal.application
|
Direct mapping. |
|
aptptime
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty, the key is set to "aptptime" and the value is the aptptime
itself. |
|
auth
|
extensions.auth.auth_details
|
Direct mapping. |
|
authtime
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty and not "0", the key is set to "authtime" and the value is the authtime
itself. |
|
avscantime
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty and not "0", the key is set to "avscantime" and the value is the avscantime
itself. |
|
category
|
security_result.detection_fields[].key
, security_result.detection_fields[].value
|
If not empty, the key is set to "category" and the value is the category
itself. If name
contains "portscan", security_result.category
is set to "NETWORK_RECON" and a detection field with key "category" and value "NETWORK_RECON" is added. |
|
categoryname
|
security_result.category_details
|
Direct mapping. |
|
connection
|
security_result.rule_name
|
Direct mapping, used when id
is "2203". |
|
content-type data
|
(See other fields) | The data
field contains key-value pairs that are parsed into individual fields. |
|
datetime
|
metadata.event_timestamp
|
Parsed and mapped as seconds since epoch. |
|
device
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty and not "0", the key is set to "device" and the value is the device
itself. |
|
dnstime
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty and not "0", the key is set to "dnstime" and the value is the dnstime
itself. |
|
dstip
|
target.ip
, target.asset.ip
|
Direct mapping. Also extracted from the url
field if present. |
|
dstmac
|
target.mac
|
Direct mapping. |
|
dstport
|
target.port
|
Direct mapping, converted to integer. |
|
error event
|
security_result.summary
|
Direct mapping, used when id
is "2201", "2202", or "2203". |
|
exceptions
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty, the key is set to "exceptions" and the value is the exceptions
itself. |
|
file
|
about.file.full_path
|
Direct mapping. |
|
filteraction
|
security_result.rule_name
|
Direct mapping. |
|
fullreqtime
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty, the key is set to "fullreqtime" and the value is the fullreqtime
itself. |
|
fwrule
|
security_result.rule_id
|
Direct mapping. |
|
group
|
target.group.group_display_name
|
Direct mapping. |
|
id
|
metadata.product_log_id
|
Direct mapping. |
|
info
|
security_result.description
|
Direct mapping. If present, metadata.event_type
is set to "NETWORK_UNCATEGORIZED". |
|
initf interface
|
security_result.about.labels[].key
, security_result.about.labels[].value
|
If not empty, a label with key "Interface" and value interface
is added to security_result.about.labels
. |
|
ip_address
|
target.ip
, target.asset.ip
|
Direct mapping. |
|
length line message
|
security_result.summary
|
Used when id
is "0003". Also used for general grok parsing. |
|
method
|
network.http.method
|
Direct mapping. |
|
name
|
security_result.summary
|
Direct mapping. |
|
outitf pid
|
target.process.pid
|
Direct mapping. |
|
port
|
target.port
|
Direct mapping, converted to integer. |
|
prec profile
|
security_result.rule_name
|
Direct mapping. |
|
proto
|
network.ip_protocol
|
Converted to IP protocol name using a lookup table. |
|
reason referer
|
network.http.referral_url
|
Direct mapping. |
|
request
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty, the key is set to "request" and the value is the request
itself. |
|
reputation
|
additional.fields[].key
, additional.fields[].value.string_value
|
If not empty, the key is set to "reputation" and the value is the reputation
itself. |
|
rx
|
network.received_bytes
|
Direct mapping, used when id
is "2202", converted to unsigned integer. |
|
sandbox severity
|
security_result.severity
|
If severity
is "info", map to "LOW". |
|
size
|
target.file.size
|
Direct mapping, converted to unsigned integer. |
|
srcip
|
principal.ip
, principal.asset.ip
|
Direct mapping. |
|
srcmac
|
principal.mac
|
Direct mapping. |
|
srcport
|
principal.port
|
Direct mapping, converted to integer. |
|
statuscode
|
network.http.response_code
|
Direct mapping, converted to integer. |
|
sub
|
network.application_protocol
|
If sub
is "http", the metadata.event_type
is set to "NETWORK_HTTP" and network.application_protocol
is set to "HTTP". If sub
is "packetfilter", metadata.description
is set to sub
. Otherwise, converted to application protocol name using a lookup table. If no match is found in the lookup table, the dstport
is used for the lookup. |
|
sys
|
metadata.product_event_type
|
Direct mapping. |
|
tcpflags tos ttl tx
|
network.sent_bytes
|
Direct mapping, used when id
is "2202", converted to unsigned integer. |
|
ua
|
network.http.user_agent
|
Direct mapping. |
|
url
|
network.http.referral_url
, target.hostname
, target.asset.hostname
|
Direct mapping for network.http.referral_url
. Extracted hostname for target.hostname
and target.asset.hostname
. Also used to extract dstip
. |
|
user
|
target.user.userid
|
Direct mapping. |
|
username
|
target.user.userid
|
Direct mapping, used when id
is "2201" or "2202". |
|
variant
|
Not included in final UDM, but used in description | Used in conjunction with sub
to create the security_result.description
when id
is "2201", "2202", or "2203". |
|
virtual_ip
|
target.ip
, target.asset.ip
|
Direct mapping, used when id
is "2201" or "2202". |
metadata.event_type
|
metadata.event_type
|
Initialized to "GENERIC_EVENT". Set to specific values based on log content and parser logic. |
metadata.log_type
|
metadata.log_type
|
Hardcoded to "SOPHOS_UTM". |
metadata.product_name
|
metadata.product_name
|
Hardcoded to "SOPHOS UTM". |
metadata.vendor_name
|
metadata.vendor_name
|
Hardcoded to "SOPHOS Ltd". |
intermediary.hostname
|
intermediary.hostname
|
Extracted from the log message using grok and renamed. |
Need more help? Get answers from Community members and Google SecOps professionals.
