Sophos Astaro Security Gateway sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Sophos Astaro Security Gateway sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that a web request is blocked.
<30>2019:06:20-04:12:39 sophos.astaro.test httpproxy[7917]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.112.47.87" dstip="10.112.48.88" user="testUser" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2521" request="0x93368600" url="http://ipv6.qradar.example.test/connecttest.txt" referer="" error="Host not found" authtime="0" dnstime="4743" cattime="180" avscantime="0" fullreqtime="5295" device="0" auth="0" ua="Microsoft NCSI" exceptions="" category="178" reputation="neutral" categoryname="Internet Services"
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | 0002 |
Source IP | 10.112.47.87 |
Destination IP | 10.112.48.88 |
Username | testUser |
Device Time | 2019:06:20-04:12:39 |
Sample 2: The following sample event message shows that a packet is dropped by the packet filter.
<30>2019:06:20-04:12:39 sophos.astaro.test ulogd[7117]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307c" app="124" srcmac="00:00:5E:00:53:2A" dstmac="00:00:5E:00:53:66" srcip="10.112.2.39" dstip="10.112.47.75" proto="17" length="1071" tos="0x00" prec="0x00" ttl="62" srcport="53" dstport="29366"
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | 2001 |
Source IP | 10.112.2.39 |
Source Port | 53 |
Destination IP | 10.112.47.75 |
Destination Port | 29366 |
Device Time | 2019:06:20-04:12:39 |
Sample 3: The following sample event message shows that an IPS signature is detected.
<188>device="SFW" date=2020-07-31 time=09:45:51 timezone="CEST" device_name="device_name" device_id=ABCDEFGH1234567 log_id=020803407001 log_type="IDP" log_component="Signatures" log_subtype="Detect" priority=Warning idp_policy_id=13 fw_rule_id=9 user_name="" signature_id=15888 signature_msg="SERVER-OTHER SAPLPD 0x31 command buffer overflow attempt" classification="Attempted Administrator Privilege Gain" rule_priority=2 src_ip=10.0.0.1 src_country_code= dst_ip=10.0.0.2 dst_country_code= protocol="TCP" src_port=50392 dst_port=515 platform="Windows" category="server-other" target="Server"
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Detect |
Event Category | IDP |
Source IP | 10.0.0.1 |
Source Port | 50392 |
Destination IP | 10.0.0.2 |
Destination Port | 515 |
Device Time | The value in QRadar is 31 July 2020 9:45:51 CEST. (Extracted from the date +time +timezone fields in the event payload.) |