This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syslog-NG patternDB for Sophos Firewall

I'm currently trying to create a Pattern for the Firewall log of our Sophos Firewall.

I came up with this:

<ruleset name="sophos" id='10001'>
<pattern></pattern>
<rules>
    <rule provider="doesntmatter" class='10001' id='10001'>
        <patterns>
            <pattern>@ESTRING::action=@"@ESTRING:s0:@" fwrule="@NUMBER:i0:@" @ESTRING::srcip=@"@IPv4:i1:@" dstip="@IPv4:i2:@" @ESTRING::srcport@"@NUMBER:i3:@" dstport="@NUMBER:i4:@"</pattern>
        </patterns>
    </rule>
</rules>

The example message I'm using is:

05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="118" initf="eth0.666" outitf="ppp2" srcmac="*A MAC*" dstmac="*A MAC*" srcip="*IP*" dstip="*IP*" proto="17" length="105" tos="0x00" prec="0x00" ttl="127" srcport="50946" dstport="161"

I try matching it with pdbtool.TellTheBell This is the output:

Missing ESTRING parser parameters; type='ESTRING'
MESSAGE=05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id=2001 severity=info sys=SecureNet sub=packetfilter name=Packet
.classifier.class=unknown
TAGS=.classifier.unknown

This thread was automatically locked due to age.

0 Yashraj S over 5 years ago

Hi Evan Joan

This seems to be related to Sophos XG firewall. I would request you to subscribe to the Sophos XG Firewall Community group so that I can move it to the appropriate group.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel