Hello Everyone,
I am trying to setup the Filebeat Sophos Module for a Sophos-XG Firewall. Filebeat Output is send directly to Elasticsearch.
I enabled the sophos module and the initialized it sucessfully with
filebeat setup -e -d --pipelines -modules="sophos"
my module config is as follows:
- module: sophos
xg:
enabled: true
# Set which input to use between tcp, udp (default) or file.
var.input: tcp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 0.0.0.0
# The port to listen for syslog traffic. Defaults to 9004.
var.syslog_port: 9004
# firewall default hostname
var.default_host_name: firewall.localgroup.local
# known firewalls
var.known_devices:
- serial_number: "FW Serial"
hostname: "FW Hostname"
#- serial_number: "1234234590678557"
# hostname: "b.host.local"
utm:
enabled: false
And I receive Logs like this:
{
"_index": "filebeat-7.17.3-2022.05.12-000001",
"_type": "_doc",
"_id": "XYM9vYAB9OV1mX8rU7yo",
"_version": 1,
"_score": 1,
"_source": {
"agent": {
"hostname": "Elastic Stack Hostname",
"name": "Elastic Stack Hostname",
"id": "059ca9b8-745a-43b4-9ea1-d4bba45cb164",
"ephemeral_id": "d3fe32d3-77c6-4676-ad74-61afbcd2928c",
"type": "filebeat",
"version": "7.17.3"
},
"log": {
"source": {
"address": "FW private IP:18876"
}
},
"_conf": {
"mappings": [
{
"hostname": "FW Hostname",
"serial": "FW Serial"
}
],
"default": "firewall.localgroup.local"
},
"fileset": {
"name": "xg"
},
"message": "\u0000\u0010\u0000\u000e\u0000\u0017\u0000\u0019\u0000\u001c\u0000\u001b\u0000\u0018\u0000\u001a\u0000\u0016\u0000#\u0000\u0000\u0000\r\u0000 \u0000\u001e\u0006\u0001\u0006\u0002\u0006\u0003\u0005\u0001\u0005\u0002\u0005\u0003\u0004\u0001\u0004\u0002\u0004\u0003\u0003\u0001\u0003\u0002\u0003\u0003\u0002\u0001\u0002\u0002\u0002\u0003",
"error": {
"message": "Provided Grok expressions do not match field value: [\\u0000\\u0010\\u0000\\u000E\\u0000\\u0017\\u0000\\u0019\\u0000\\u001C\\u0000\\u001B\\u0000\\u0018\\u0000\\u001A\\u0000\\u0016\\u0000#\\u0000\\u0000\\u0000\\r\\u0000 \\u0000\\u001E\\u0006\\u0001\\u0006\\u0002\\u0006\\u0003\\u0005\\u0001\\u0005\\u0002\\u0005\\u0003\\u0004\\u0001\\u0004\\u0002\\u0004\\u0003\\u0003\\u0001\\u0003\\u0002\\u0003\\u0003\\u0002\\u0001\\u0002\\u0002\\u0002\\u0003]"
},
"tags": [
"sophos-xg",
"forwarded"
],
"input": {
"type": "tcp"
},
"@timestamp": "2022-05-13T11:45:53.630Z",
"ecs": {
"version": "1.12.0"
},
"service": {
"type": "sophos"
},
"host": {
"name": "Elastic Stack Hostname"
},
"event": {
"ingested": "2022-05-13T11:45:54.589904775Z",
"timezone": "+02:00",
"module": "sophos",
"dataset": "sophos.xg"
}
},
"fields": {
"_conf.mappings.hostname": [
"FW Hostname"
],
"_conf.mappings.serial": [
"FW Serial"
],
"fileset.name": [
"xg"
],
"input.type": [
"tcp"
],
"agent.hostname": [
"Elastic Stack Hostname"
],
"message": [
"\u0000\u0010\u0000\u000e\u0000\u0017\u0000\u0019\u0000\u001c\u0000\u001b\u0000\u0018\u0000\u001a\u0000\u0016\u0000#\u0000\u0000\u0000\r\u0000 \u0000\u001e\u0006\u0001\u0006\u0002\u0006\u0003\u0005\u0001\u0005\u0002\u0005\u0003\u0004\u0001\u0004\u0002\u0004\u0003\u0003\u0001\u0003\u0002\u0003\u0003\u0002\u0001\u0002\u0002\u0002\u0003"
],
"_conf.default": [
"firewall.localgroup.local"
],
"tags": [
"sophos-xg",
"forwarded"
],
"service.type": [
"sophos"
],
"agent.type": [
"filebeat"
],
"event.ingested": [
"2022-05-13T11:45:54.589Z"
],
"@timestamp": [
"2022-05-13T11:45:53.630Z"
],
"agent.id": [
"059ca9b8-745a-43b4-9ea1-d4bba45cb164"
],
"event.module": [
"sophos"
],
"ecs.version": [
"1.12.0"
],
"log.source.address": [
"private FW IP:18876"
],
"error.message": [
"Provided Grok expressions do not match field value: [\\u0000\\u0010\\u0000\\u000E\\u0000\\u0017\\u0000\\u0019\\u0000\\u001C\\u0000\\u001B\\u0000\\u0018\\u0000\\u001A\\u0000\\u0016\\u0000#\\u0000\\u0000\\u0000\\r\\u0000 \\u0000\\u001E\\u0006\\u0001\\u0006\\u0002\\u0006\\u0003\\u0005\\u0001\\u0005\\u0002\\u0005\\u0003\\u0004\\u0001\\u0004\\u0002\\u0004\\u0003\\u0003\\u0001\\u0003\\u0002\\u0003\\u0003\\u0002\\u0001\\u0002\\u0002\\u0002\\u0003]"
],
"agent.ephemeral_id": [
"d3fe32d3-77c6-4676-ad74-61afbcd2928c"
],
"agent.version": [
"7.17.3"
],
"agent.name": [
"Elastic Stack Hostname"
],
"host.name": [
"Elastic Stack Hostname"
],
"event.dataset": [
"sophos.xg"
],
"event.timezone": [
"+02:00"
]
}
}
Elasticsearch and Filebeat version is 7.17.3, Sophos FW is XG330 (SFOS 18.5.2 MR-2-Build380)
Thanks in advance.