Expected Log Samples¶

Sophos UTM WAF XG310 and Sophos Unified Threat Management v8

Key = value with space as the delimiter

<30>Aug 23 10:58:46 Sophos-VA-Web.<Internal.domain> h=xx.xxx.xx.xx: u="<Username>" s=200 X=+ t=1503485925 T=620652 Ts=0 act=1 cat="0x220000002a" app="-" rsn=- threat="-" type="text/html" ctype="text/html" sav-ev=5.42 sav-dv=2017.x.xx.xxxxxxx uri-dv=- cache=- in=xxx out=xxxxx meth=HTTPS-SCAN ref="http://www.xyz.com/search?q=www.xyz.com&src=IE-SearchBox&FORM=XXXXxx" ua="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:XX.X) like Gecko" req="GET https://www.xyz.com/?gfe_rd=cr&ei=41-dWZyePMvU8gek9J7gBQ&gws_rd=ssl HTTP/1.1" dom="xyz.co.ab" filetype="-" rule="0" filesize=67591 axtime=0.000850 fttime=0.000303 scantime=0.203 src_cat="0x200000002a" labs_cat="0x200000002a" dcat_prox="-" target_ip="xxx.xxx.xx.xxx" labs_rule_id="0" reqtime=0.203 adtime=0.000000 ftbypass=- os=UNKNOWN authn=0 auth_by=bypass dnstime=0.0000XX quotatime=- sandbox=-

Sophos Endpoint Antivirus version 5.2.1 R2

Key = value with a semicolon as the delimiter

InsertedAt=2018-05-30 07:17:35; EventID=x; EventTime=2018-05-30 07:17:34; ActionTakenID=xxx; ActionTaken=Cleanup Failed; UserName=xyz AUTHORITY\SYSTEM; ScannerTypeID=xxx; ScannerType=Unknown; StatusID=50; Status=Unresolved; ThreatTypeID=1; ThreatType=Viruses/spyware; ThreatName=xyz/DocDl-LHK; FullFilePath=C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Procurement_Vol_III_05_15_2018.docx; ComputerName=xyz0; ComputerDomain=WINDOWS.LOGPOINTBANK.LOCAL; ComputerIPAddress=xxx.xxx.x.xxx

Sophos XG Firewall v15.x

Key = value with space as the delimiter

<30> device="SFW" date=2016-02-10 time=18:14:46 timezone="CET" device_name="xyz" device_id=xxxxx log_id=xxxxxx log_type="Security Policy" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port8" out_interface="" src_mac=xx:xx:xx:xx:xx:6c src_ip=xxx.xxx.x.xx src_country_code= dst_ip=xxx.xxx.x.xxx dst_country_code= protocol="xx" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat"

SophosCentralCEF

Key = value pair CEF logs

CEF:0|sophos|sophos central|1.0|ABC|1|customer_id=xxxxxxxxxsource_info_ip=1.1.1.1 endpoint_id=xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx endpoint_type=server id=xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx group=POLICY datastream=event end=2020-03-06T02:12:52.044Z rt=2020-03-06T02:12:52.056Z suser=n/a dhost=XYZ

Helpful?