Sophos Astaro Security Gateway sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Sophos Astaro Security Gateway sample messages when you use the Syslog protocol

Sample 1: The following sample event message shows that a web request is blocked.

<30>2019:06:20-04:12:39 sophos.astaro.test httpproxy[7917]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.112.47.87" dstip="10.112.48.88" user="testUser" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2521" request="0x93368600" url="http://ipv6.qradar.example.test/connecttest.txt" referer="" error="Host not found" authtime="0" dnstime="4743" cattime="180" avscantime="0" fullreqtime="5295" device="0" auth="0" ua="Microsoft NCSI" exceptions="" category="178" reputation="neutral" categoryname="Internet Services"
Table 1. Highlighted values in the Sophos Astaro Security Gateway event
QRadar field name Highlighted values in the event payload
Event ID 0002
Source IP 10.112.47.87
Destination IP 10.112.48.88
Username testUser
Device Time 2019:06:20-04:12:39

Sample 2: The following sample event message shows that a packet is dropped by the packet filter.

<30>2019:06:20-04:12:39 sophos.astaro.test ulogd[7117]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307c" app="124" srcmac="00:00:5E:00:53:2A" dstmac="00:00:5E:00:53:66" srcip="10.112.2.39" dstip="10.112.47.75" proto="17" length="1071" tos="0x00" prec="0x00" ttl="62" srcport="53" dstport="29366"  
Table 2. Highlighted values in the Sophos Astaro Security Gateway event
QRadar field name Highlighted values in the event payload
Event ID 2001
Source IP 10.112.2.39
Source Port 53
Destination IP 10.112.47.75
Destination Port 29366
Device Time 2019:06:20-04:12:39

Sample 3: The following sample event message shows that an IPS signature is detected.

<188>device="SFW" date=2020-07-31 time=09:45:51 timezone="CEST" device_name="device_name" device_id=ABCDEFGH1234567 log_id=020803407001 log_type="IDP" log_component="Signatures" log_subtype="Detect" priority=Warning idp_policy_id=13 fw_rule_id=9 user_name="" signature_id=15888 signature_msg="SERVER-OTHER SAPLPD 0x31 command buffer overflow attempt" classification="Attempted Administrator Privilege Gain" rule_priority=2 src_ip=10.0.0.1 src_country_code= dst_ip=10.0.0.2 dst_country_code= protocol="TCP" src_port=50392 dst_port=515 platform="Windows" category="server-other" target="Server"
Table 3. Highlighted values in the Sophos Astaro Security Gateway event
QRadar field name Highlighted values in the event payload
Event ID Detect
Event Category IDP
Source IP 10.0.0.1
Source Port 50392
Destination IP 10.0.0.2
Destination Port 515
Device Time The value in QRadar is 31 July 2020 9:45:51 CEST. (Extracted from the date +time +timezone fields in the event payload.)