USM Anywhere™

Sophos XG Firewall

When you configure Sophos XG Firewall to send log data to USM Anywhere, you can use the Sophos XG plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Sophos
Device Type Firewall
Connection Type Syslog

Integrating Sophos XG

Before you configure the Sophos XG integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Sophos XG to send log data to USM Anywhere

  1. In the Sophos XG console, go to System > System Services > Log Settings and, under the Syslog Servers section, click Add.
  2. Enter the server details:

    • Name — Unique name for your instance.
    • IP Address / Domain — Specify the IP address (IPv4 or IPv6)/ domain for your sensor.
    • Port — 514
    • Facility — Syslog facility for logs sent to the Sensor. Facility indicates to the source of a log such as the operating system, the process or an application. It is defined by the syslog protocol.

      The device supports several syslog facilities for received logs.

      Available options:

      • DAEMON
      • KERNEL
      • LOCAL0 - LOCAL7
      • USER
      • Severity Level:

        • EMERGENCY — System is not usable
        • ALERT — Action must be taken immediately
        • CRITICAL — Critical condition
        • ERROR — Error condition
        • WARNING — Warning condition
        • NOTIFICATION — Normal but significant condition
        • INFORMATION — Informational
        • DEBUG — Debug level messages.

    Unless a specific device format is chosen, the device produces logs in its standard format.

    Note: You can configure a maximum of five syslog servers.

  3. Click Save.
  4. On System > System Services > Log Settings, enable all those logs that you want sent to the sensor.

Plugin Enablement

The Sophos XG plugin automatically processes all messages when the raw message contains "date=\\S+\\s+time=\\S+\\s+timezone=".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • authentication_mode
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • destination_address
  • destination_dns_domain
  • destination_mac
  • destination_port
  • destination_translated_address
  • destination_translated_port
  • destination_zone
  • device_external_id
  • device_inbound_interface
  • device_outbound_interface
  • duration
  • email_recipient
  • email_sender
  • email_subject
  • event_action
  • event_category
  • event_description
  • event_name
  • event_outcome
  • event_severity
  • event_type
  • packets_received
  • packets_sent
  • policy
  • rep_device_model
  • rep_device_rule_id
  • rep_device_type
  • reputation_score
  • request_content_type
  • request_url
  • response_code
  • source_address
  • source_dns_domain
  • source_mac
  • source_port
  • source_translated_address
  • source_translated_port
  • source_username
  • source_zone
  • time_zone
  • timestamp_occured
  • timestamp_received
  • transport_protocol
  • user_group_id
  • wireless_ap
  • wireless_ssid

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: