Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configure syslogs from Sophos firewall

Overview

We are providing you the steps to integrate your Sophos Firewall with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ) . In this document, we are guiding you through the steps for Syslog forwarding.

Steps to Configure -

You can configure a Seceon CCE in Sophos Firewall by following the instructions below. 

    1. Go to System Services

 Log Settings and click Add to configure a Syslog server.

    1. Enter a Name for the Seceon CCE.
    2. Enter the IP Address of the Syslog server. Messages from the device will be sent to the entered IP Address.
    3. Enter Port number 514, that the device will use for communicating with the syslog server. Device will send messages using thia selected port.
    4. Select the Facility from the available options. As an example, we have selected the default value i.e. DAEMON.

 Note: Facility informs the syslog server of the log message's source. It is defined by the syslog protocol. You can configure the facility to distinguish log messages from different devices. This parameter helps you identify the device that recorded a specific log file.

Available options:

      • DAEMON (Default): Information on the services running in the device as daemon.
      • KERNEL: Kernel log.
      • LOCAL0 - LOCAL7: Log level information.
      • USER: Logging based on users who are connected to the Server.
    1. Select the Severity Level from the available options. Severity level is the severity of the message that has been generated. The firewall logs all messages with a severity level equal to or greater than the level you select. For example, select Error to log all messages tagged as Error as well as any messages tagged with Critical, Alert and Emergency. Select Debug to log all messages.



Click on Sophos IDC check box and apply 



Available options:

      • Emergency (Default): The System is not usable.
      • Alert: Action must be taken immediately.
      • Critical: Critical problem/error.
      • Error: An Error has occurred.
      • Warning: Warning of a problem/error.(Please select this one for Seceon CCE)
      • Notification: Normal, but significant.
      • Information: Informational.
      • Debug: Debug-level messages.
    1. Select the Format from the available options. Currently, the firewall can only produce logs in its own standard format.
    2.  

Click Save to save the configuration.

How to specify logs to be stored on the Syslog Server

Go to  System Services > Log Settings and click the checkbox next to the required log types for them to be recorded in the syslog servers.


Reference source: 

https://community.sophos.com/kb/en-us/123184

Seceon Inc. All rights reserved. https://www.seceon.com