XG210 Logs are not reconized by McAfee SIEM

I would like to ask if anyone successfully let McAfee ESM (SIEM) get logs from XG210. What Data Source Model and Data Format should be?

My situation is ESM gets logs from XG210 but as "Unknown Event".

ESM: V10.3

XG210: AP Firmware 11.0

  • Hi,

    what version of XG are you running?

    Ian

  • In reply to rfcat_vk:

    Hi Lan,

    my XG210 verison is 17.0.5 MR-5.

    Another Sophos SG210 has version 9.354-4, it perfectly fit in SIEM.

    I compared both logs, the format is different. I'm wordering if the format for XG210 even supported by SIEM, if so, what Model and Format should be?

     

    SG210:  

    <30>2018:07:06-12:25:15 xxx_xxxx httpproxy[29219]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="x.x.x.x" dstip="x.x.x.x" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo5 MegaBranch_WebFilterPolicy)" filteraction="REF_HttCffMegabank (megabank)" size="6801" request="0x19768000" url="https://ad.aminopay.net/" referer="" error="" authtime="0" dnstime="1121" cattime="110" avscantime="0" fullreqtime="60273211" device="0" auth="0" ua="" exceptions="" category="177" reputation="neutral" categoryname="Content Server"

     

    XG210

    <182>device="SFW" date=2018-07-06 time=22:16:46 timezone="CST" device_name="XG210" device_id=xxxxxxxxx log_id=01010111101 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 policy_type=1 user_name="" user_gp="" iap=14 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="LACP01.32" out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip=x.x.x.x src_country_code=R1 dst_ip=x.x.x.x dst_country_code=SGP protocol="TCP" src_port=50562 dst_port=80 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip=x.x.x.x  tran_dst_port=3128 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="11111111" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"

     

    your thought?

    Thanks

    Jim

  • In reply to jimlin90 Jim Lin:

    @jimlin90 

    Yes the logs are completely different between UTM 9.x and XG. In looking at McAfee ESM Supported Device list here is what it states about Sophos Firewalls:

    UTM and Next-Gen Firewall UTM/Firewall 9.1 ASP Syslog 9.4.0 and above

    The way I read this is that the parser only supports Sophos UTM version 9.x and not Sophos XG.

    In looking at McAfee ESM Supported Device list I found this entry:

    Cyberoam Cyberoam UTM and NGFW UTM/Firewall 10.0 and above ASP Syslog 9.2 and above

    Now since XG has some heritage from Cyberoam you can try using the Cyberoam parser to see what is parsed if any. If this also fails I would open a support case to request support for this device and lean on your SAM. Of course this all depends on if you have Gold or Platinum Support with McAfee.

    Hope this helps

    -Ron

  • In reply to rrosson:

    Hi Ron,

     

    I tried Cyberoam UTM and NGFW UTM, it looks fine so far.

    Thank you for your great help!

    I will also raise this case to Mcafee to put XG in support.

     

    Have good day.

    Jim