- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: SOPHOS UTM Firewall Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SOPHOS UTM Firewall Logs
Hello to the community!
I am trying to alter the indexed value of a Sophos UTM logs in order to get mapped to CIM (https://docs.splunk.com/Documentation/CIM/4.11.0/User/NetworkTraffic).
Sophos UTM uses "accept" and "drop" and I want to change them respectively to "allowed" and "blocked" in order to get mapped to correctly to allowed and blocked traffic of the CIM.
Below you may find a sample of those logs:
2018:07:13-16:18:31 sophosutm-1 ulogd[6773]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="123" initf="eth1" outitf="eth2.665" srcmac="ec:bd:1d:71:26:31" dstmac="00:1a:8c:f0:ae:61" srcip="52.112.128.78" dstip="10.28.4.21" proto="6" length="40" tos="0x00" prec="0x00" ttl="117" srcport="50609" dstport="5061" tcpflags="ACK"
2018:07:13-16:18:31 sophosutm-1 ulogd[6773]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="68" initf="eth0" outitf="eth1" srcmac="00:26:99:14:b7:bf" dstmac="00:1a:8c:f0:ae:60" srcip="10.25.10.10" dstip="8.8.8.8" proto="17" length="70" tos="0x00" prec="0x00" ttl="126" srcport="53257" dstport="53"
2018:07:13-17:00:49 sophosutm-1 ulogd[6773]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="65" initf="eth2.667" outitf="eth1" srcmac="60:57:18:ae:a3:8f" dstmac="00:1a:8c:f0:ae:62" srcip="10.28.1.222" dstip="13.107.24.5" proto="17" length="58" tos="0x00" prec="0x00" ttl="127" srcport="64549" dstport="53"
I have the following configuration on my indexer:
/opt/splunk/etc/system/local/props.conf
[source::udp:514]
TRANSFORMS-null = setnullSOPHOSUTM,setnull_connection_refused_logs
TRANSFORMS-overrideDrupalLogs = override_for_drupal_logs
TRANSFORMS-overrideESXiLogs = override_for_esxi_logs
# alter accept to allowed and drop to blocked for utm logs
# in order to get mapped to CIM
SEDCMD-accept-to-allowed = s/action\=\"accept\"/action=\"allowed\"/g
SEDCMD-drop-to-blocked = s/action\=\"drop\"/action=\"blocked\"/g
However the results are not indexed as instructed in SED command. Can you imagine where is the issue?
Thanks,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are doing it wrong. Do not change the original raw data; use the Splunk Add-on for Sophos TA here to change it at search-time:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to this page: https://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise Splunk Add-on for Sophos is for Enterprise Console, not Sophos UTM.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
