Collect Sophos Firewall (SFOS) logs

This document explains how to ingest Sophos Firewall logs to Google Security Operations using Bindplane. Sophos Firewall (SFOS) is a next-generation firewall that provides network security, web filtering, application control, IPS, VPN, and advanced threat protection. SFOS runs on Sophos XGS Series hardware appliances, virtual and cloud deployments, and generates detailed logs for firewall rules, web filtering, IPS events, authentication, VPN connections, and system activity.

For more information, see Collect Sophos Firewall logs.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance.
• A Windows 2016 or later or Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
• Privileged access to the Sophos Firewall web admin console with administrator role.
• Sophos Firewall running SFOS v18 or later.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agent.

3. Download the Ingestion Authentication File.

   • Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL [https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh](https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh))" install_unix.sh
   

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. Typically, it is in the /opt/observiq-otel-collector/config.yaml directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           listen_address: "0.0.0.0:514"
   
   exporters:
       chronicle/sophos_firewall:
           compression: gzip
           creds_file_path: '/path/to/ingestion-authentication-file.json'
           customer_id: '<CUSTOMER_ID>'
           endpoint: malachiteingestion-pa.googleapis.com
           log_type: SOPHOS_FIREWALL
           raw_log_field: body
           ingestion_labels:
   
   service:
       pipelines:
           logs/sophos_fw_to_chronicle:
               receivers:
                   - udplog
               exporters:
                   - chronicle/sophos_firewall
   

• Replace the port and IP address as required in your infrastructure.
• Replace <CUSTOMER_ID> with the actual customer ID.
• Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved.

Restart the Bindplane agent to apply the changes

1. To restart the Bindplane agent in Linux, run the following command:

   sudo systemctl restart observiq-otel-collector
   

2. To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

   net stop observiq-otel-collector && net start observiq-otel-collector
   

Configure syslog forwarding on Sophos Firewall

Add syslog server

1. Sign in to the Sophos Firewall web admin console.
2. Go to System services > Log settings.
3. Scroll down to the Syslog servers section.

4. Click Add to add a new syslog server.

5. Provide the following configuration details:

   • Name: Enter a descriptive name (for example, Bindplane-SecOps).
   • IP address/Domain: Enter the IP address of the Bindplane agent host.
   • Port: Enter 514 (or your configured port).
   • Facility: Select DAEMON.
   • Severity level: Select Information (recommended for comprehensive logging).
   • Format: Select Device Standard Format.

6. Click Save.

Select log types to forward

1. In the Syslog servers section, click on the syslog server entry Bindplane-SecOps.

2. In the Log type section, enable the log categories to forward:

   • Firewall: Firewall rule hits, dropped traffic, and allowed connections.
   • IPS: Intrusion Prevention System alerts and events.
   • Anti-Virus: Malware detection events.
   • Anti-Spam: Spam detection and filtering events.
   • Content Filtering: Web filtering and URL categorization events.
   • Events: System events, authentication, and administrative activity.
   • Web Server Protection: WAF events.
   • Advanced Threat Protection: Sandstorm and ATP detection events.
   • Wireless: Wireless access point events (if applicable).
   • Heartbeat: Sophos Security Heartbeat status changes (if Synchronized Security is enabled).
   • System Health: Hardware and software health events.
   • Authentication: User and administrator authentication events.
   • Admin: Administrative console activity.

3. Click Apply.

Verify syslog forwarding

1. Go to Log viewer in the Sophos Firewall web admin console.
2. Verify that log entries are being generated.

3. Check the Bindplane agent logs to confirm that syslog messages are being received:

   sudo journalctl -u observiq-otel-collector -f
   

For more information, see Sophos Firewall syslog documentation.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.