Sophos Astaro Security Gateway
The Sophos Astaro Security Gateway DSM for JSA accepts events by using syslog, enabling JSAto record all relevant events.
To configure syslog for Sophos Astaro Security Gateway:
Log in to the Sophos Astaro Security Gateway console.
From the navigation menu, select Logging >Settings.
Click the Remote Syslog Server tab.
The Remote Syslog Status window is displayed.
From Syslog Servers panel, click the + icon.
The Add Syslog Server window is displayed.
Configure the following parameters:
Name— Type a name for the syslog server.
Server— Click the folder icon to add a pre-defined host, or click + and type in new network definition
Port— Click the folder icon to add a pre-defined port, or click + and type in a new service definition.
By default, JSA communicates by using the syslog protocol on UDP/TCP port 514.
Click Save.
From the Remote syslog log selection field, you must select check boxes for the following logs:
POP3 Proxy— Select this check box.
Packet Filter— Select this check box.
Packet Filter— Select this check box.
Intrusion Prevention System— Select this check box
Content Filter(HTTPS)— Select this check box.
High availability - Select this check box
FTP Proxy - Select this check box.
SSL VPN - Select this check box.
PPTP daemon- Select this check box.
IPSEC VPN - Select this check box.
HTTP daemon - Select this check box
User authentication daemon - Select this check box.
SMTP proxy - Select this check box.
Click Apply.
From Remote syslog status section, click Enable
You can now configure the log source in JSA.
To configure JSA to receive events from your Sophos Astaro Security Gateway device: From the Log Source Type list, select Sophos Astaro Security Gateway.
Sophos Astaro Security Gateway Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Sophos Astaro Security Gateway Sample Messages When You Use the Syslog Protocol
Sample 1: The following sample event message shows that a web request is blocked.
<30>2019:06:20-04:12:39 sophos.astaro.test httpproxy[7917]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.112.47.87" dstip="10.112.48.88" user="testUser" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2521" request="0x93368600" url="http://ipv6.qradar.example.test/connecttest.txt" referer="" error="Host not found" authtime="0" dnstime="4743" cattime="180" avscantime="0" fullreqtime="5295" device="0" auth="0" ua="Microsoft NCSI" exceptions="" category="178" reputation="neutral" categoryname="Internet Services"
JSA field name |
Highlighted values in the event payload |
|---|---|
Event ID |
0002 |
Source IP |
10.112.47.87 |
Destination IP |
10.112.48.88 |
Username |
testUser |
Device Time |
2019:06:20-04:12:39 |
Sample 2: The following sample event message shows that a packet is dropped by the packet filter.
<30>2019:06:20-04:12:39 sophos.astaro.test ulogd[7117]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307c" app="124" srcmac="00:00:5E:00:53:2A" dstmac="00:00:5E:00:53:66" srcip="10.112.2.39" dstip="10.112.47.75" proto="17" length="1071" tos="0x00" prec="0x00" ttl="62" srcport="53" dstport="29366"
JSA field name |
Highlighted values in the event payload |
|---|---|
Event ID |
2001 |
Source IP |
10.112.2.39 |
Source Port |
53 |
Destination IP |
10.112.47.75 |
Destination Port |
29366 |
Device Time |
2019:06:20-04:12:39 |