Sample of syslog messages for Sophos Firewall

Hello Evgenii Panarin ,

Thank you for reaching out to the community, those are basically authentication Message IDs, a few examples for the mentioned Message ID logs are as follows:

17701
device="SFW" date=2017-01-31 time=18:13:38 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="gaurav" usergroupname="Open Group" auth_client="Web Client" auth_mechanism="Local" reason="" src_ip=10.198.47.71 message="User gaurav of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.198.47.71" name="gaurav" src_mac=

17707
device="SFW" date=2017-03-15 time=14:33:37 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=063010617707 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="gaurav" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=10.198.233.49 message="User gaurav logged in successfully to L2TP through Local authentication mechanism" name="" src_mac=

Like Wise similarly, you'll see the following message ids:

17702 - User failed to sign in to firewall
17704 - User logged in successfully to My Account
17705 - User failed to sign in to My Account
17706 - User logged out from Account
17708 - User failed to sign in to VPN
17709 - User logged out from VPN
17710 - User logged in successfully to SSL VPN
17711 - User failed to sign in to SSL VPN
17712 - User logged out from SSL VPN
17713 - User logged in using dial-in
17714 - User failed to sign in using dial-in
17715 - User logged out of dial-in
17945 - Received challenge from <Auth mech> server via <Client type>
17946 - Received challenge from <Auth mech> server via <Client type>
17947 - Received challenge from <Auth mech> server via <Client type>
17968 - connection to ADS/LDAPS <server ip/fqdn> failed because <reason>

I think this covers all the empty ones.

Hi Vivek Jagad,

These examples are in the legacy section and all others will only be guesses of possible fields.

Device Standard Format (Legacy)

I would like to rely on a newer format, Central Reporting Format, which is offered by default.
The example table for this format is empty and, unfortunately, it is difficult to rely on empty fields.

Is it possible to find a second message format somewhere?

Thanks,

Evgenii

Nope, as of now no...

Nope, as of now no...