sophos fields
editsophos fields
editsophos Module
sophos
editxg
editModule for parsing sophosxg syslog.
-
sophos.xg.device
-
device
type: keyword
-
sophos.xg.date
-
Date (yyyy-mm-dd) when the event occurred
type: date
-
sophos.xg.timezone
-
Time (hh:mm:ss) when the event occurred
type: keyword
-
sophos.xg.device_name
-
Model number of the device
type: keyword
-
sophos.xg.device_id
-
Serial number of the device
type: keyword
-
sophos.xg.log_id
-
Unique 12 characters code (0101011)
type: keyword
-
sophos.xg.log_type
-
Type of event e.g. firewall event
type: keyword
-
sophos.xg.log_component
-
Component responsible for logging e.g. Firewall rule
type: keyword
-
sophos.xg.log_subtype
-
Sub type of event
type: keyword
-
sophos.xg.hb_health
-
Heartbeat status
type: keyword
-
sophos.xg.priority
-
Severity level of traffic
type: keyword
-
sophos.xg.status
-
Ultimate status of traffic – Allowed or Denied
type: keyword
-
sophos.xg.duration
-
Durability of traffic (seconds)
type: long
-
sophos.xg.fw_rule_id
-
Firewall Rule ID which is applied on the traffic
type: integer
-
sophos.xg.user_name
-
user_name
type: keyword
-
sophos.xg.user_group
-
Group name to which the user belongs
type: keyword
-
sophos.xg.iap
-
Internet Access policy ID applied on the traffic
type: keyword
-
sophos.xg.ips_policy_id
-
IPS policy ID applied on the traffic
type: integer
-
sophos.xg.policy_type
-
Policy type applied to the traffic
type: keyword
-
sophos.xg.appfilter_policy_id
-
Application Filter policy applied on the traffic
type: integer
-
sophos.xg.application_filter_policy
-
Application Filter policy applied on the traffic
type: integer
-
sophos.xg.application
-
Application name
type: keyword
-
sophos.xg.application_name
-
Application name
type: keyword
-
sophos.xg.application_risk
-
Risk level assigned to the application
type: keyword
-
sophos.xg.application_technology
-
Technology of the application
type: keyword
-
sophos.xg.application_category
-
Application is resolved by signature or synchronized application
type: keyword
-
sophos.xg.appresolvedby
-
Technology of the application
type: keyword
-
sophos.xg.app_is_cloud
-
Application is Cloud
type: keyword
-
sophos.xg.in_interface
-
Interface for incoming traffic, e.g., Port A
type: keyword
-
sophos.xg.out_interface
-
Interface for outgoing traffic, e.g., Port B
type: keyword
-
sophos.xg.src_ip
-
Original source IP address of traffic
type: ip
-
sophos.xg.src_mac
-
Original source MAC address of traffic
type: keyword
-
sophos.xg.src_country_code
-
Code of the country to which the source IP belongs
type: keyword
-
sophos.xg.dst_ip
-
Original destination IP address of traffic
type: ip
-
sophos.xg.dst_country_code
-
Code of the country to which the destination IP belongs
type: keyword
-
sophos.xg.protocol
-
Protocol number of traffic
type: keyword
-
sophos.xg.src_port
-
Original source port of TCP and UDP traffic
type: integer
-
sophos.xg.dst_port
-
Original destination port of TCP and UDP traffic
type: integer
-
sophos.xg.icmp_type
-
ICMP type of ICMP traffic
type: keyword
-
sophos.xg.icmp_code
-
ICMP code of ICMP traffic
type: keyword
-
sophos.xg.sent_pkts
-
Total number of packets sent
type: long
-
sophos.xg.received_pkts
-
Total number of packets received
type: long
-
sophos.xg.sent_bytes
-
Total number of bytes sent
type: long
-
sophos.xg.recv_bytes
-
Total number of bytes received
type: long
-
sophos.xg.trans_src_ ip
-
Translated source IP address for outgoing traffic
type: ip
-
sophos.xg.trans_src_port
-
Translated source port for outgoing traffic
type: integer
-
sophos.xg.trans_dst_ip
-
Translated destination IP address for outgoing traffic
type: ip
-
sophos.xg.trans_dst_port
-
Translated destination port for outgoing traffic
type: integer
-
sophos.xg.srczonetype
-
Type of source zone, e.g., LAN
type: keyword
-
sophos.xg.srczone
-
Name of source zone
type: keyword
-
sophos.xg.dstzonetype
-
Type of destination zone, e.g., WAN
type: keyword
-
sophos.xg.dstzone
-
Name of destination zone
type: keyword
-
sophos.xg.dir_disp
-
TPacket direction. Possible values:“org”, “reply”, “”
type: keyword
-
sophos.xg.connevent
-
Event on which this log is generated
type: keyword
-
sophos.xg.conn_id
-
Unique identifier of connection
type: integer
-
sophos.xg.vconn_id
-
Connection ID of the master connection
type: integer
-
sophos.xg.idp_policy_id
-
IPS policy ID which is applied on the traffic
type: integer
-
sophos.xg.idp_policy_name
-
IPS policy name i.e. IPS policy name which is applied on the traffic
type: keyword
-
sophos.xg.signature_id
-
Signature ID
type: keyword
-
sophos.xg.signature_msg
-
Signature messsage
type: keyword
-
sophos.xg.classification
-
Signature classification
type: keyword
-
sophos.xg.rule_priority
-
Priority of IPS policy
type: keyword
-
sophos.xg.platform
-
Platform of the traffic.
type: keyword
-
sophos.xg.category
-
IPS signature category.
type: keyword
-
sophos.xg.target
-
Platform of the traffic.
type: keyword
-
sophos.xg.eventid
-
ATP Evenet ID
type: keyword
-
sophos.xg.ep_uuid
-
Endpoint UUID
type: keyword
-
sophos.xg.threatname
-
ATP threatname
type: keyword
-
sophos.xg.sourceip
-
Original source IP address of traffic
type: ip
-
sophos.xg.destinationip
-
Original destination IP address of traffic
type: ip
-
sophos.xg.login_user
-
ATP login user
type: keyword
-
sophos.xg.eventtype
-
ATP event type
type: keyword
-
sophos.xg.execution_path
-
ATP execution path
type: keyword
-
sophos.xg.av_policy_name
-
Malware scanning policy name which is applied on the traffic
type: keyword
-
sophos.xg.from_email_address
-
Sender email address
type: keyword
-
sophos.xg.to_email_address
-
Receipeint email address
type: keyword
-
sophos.xg.subject
-
Email subject
type: keyword
-
sophos.xg.mailsize
-
mailsize
type: integer
-
sophos.xg.virus
-
virus name
type: keyword
-
sophos.xg.FTP_url
-
FTP URL from which virus was downloaded
type: keyword
-
sophos.xg.FTP_direction
-
Direction of FTP transfer: Upload or Download
type: keyword
-
sophos.xg.filesize
-
Size of the file that contained virus
type: integer
-
sophos.xg.filepath
-
Path of the file containing virus
type: keyword
-
sophos.xg.filename
-
File name associated with the event
type: keyword
-
sophos.xg.ftpcommand
-
FTP command used when virus was found
type: keyword
-
sophos.xg.url
-
URL from which virus was downloaded
type: keyword
-
sophos.xg.domainname
-
Domain from which virus was downloaded
type: keyword
-
sophos.xg.quarantine
-
Path and filename of the file quarantined
type: keyword
-
sophos.xg.src_domainname
-
Sender domain name
type: keyword
-
sophos.xg.dst_domainname
-
Receiver domain name
type: keyword
-
sophos.xg.reason
-
Reason why the record was detected as spam/malicious
type: keyword
-
sophos.xg.referer
-
Referer
type: keyword
-
sophos.xg.spamaction
-
Spam Action
type: keyword
-
sophos.xg.mailid
-
mailid
type: keyword
-
sophos.xg.quarantine_reason
-
Quarantine reason
type: keyword
-
sophos.xg.status_code
-
Status code
type: keyword
-
sophos.xg.override_token
-
Override token
type: keyword
-
sophos.xg.con_id
-
Unique identifier of connection
type: integer
-
sophos.xg.override_authorizer
-
Override authorizer
type: keyword
-
sophos.xg.transactionid
-
Transaction ID of the AV scan.
type: keyword
-
sophos.xg.upload_file_type
-
Upload file type
type: keyword
-
sophos.xg.upload_file_name
-
Upload file name
type: keyword
-
sophos.xg.httpresponsecode
-
code of HTTP response
type: long
-
sophos.xg.user_gp
-
Group name to which the user belongs.
type: keyword
-
sophos.xg.category_type
-
Type of category under which website falls
type: keyword
-
sophos.xg.download_file_type
-
Download file type
type: keyword
-
sophos.xg.exceptions
-
List of the checks excluded by web exceptions.
type: keyword
-
sophos.xg.contenttype
-
Type of the content
type: keyword
-
sophos.xg.override_name
-
Override name
type: keyword
-
sophos.xg.activityname
-
Web policy activity that matched and caused the policy result.
type: keyword
-
sophos.xg.download_file_name
-
Download file name
type: keyword
-
sophos.xg.sha1sum
-
SHA1 checksum of the item being analyzed
type: keyword
-
sophos.xg.message_id
-
Message ID
type: keyword
-
sophos.xg.connid
-
Connection ID
type: keyword
-
sophos.xg.message
-
Message
type: keyword
-
sophos.xg.email_subject
-
Email Subject
type: keyword
-
sophos.xg.file_path
-
File path
type: keyword
-
sophos.xg.dstdomain
-
Destination Domain
type: keyword
-
sophos.xg.file_size
-
File Size
type: integer
-
sophos.xg.transaction_id
-
Transaction ID
type: keyword
-
sophos.xg.website
-
Website
type: keyword
-
sophos.xg.file_name
-
Filename
type: keyword
-
sophos.xg.context_prefix
-
Content Prefix
type: keyword
-
sophos.xg.site_category
-
Site Category
type: keyword
-
sophos.xg.context_suffix
-
Context Suffix
type: keyword
-
sophos.xg.dictionary_name
-
Dictionary Name
type: keyword
-
sophos.xg.action
-
Event Action
type: keyword
-
sophos.xg.user
-
User
type: keyword
-
sophos.xg.context_match
-
Context Match
type: keyword
-
sophos.xg.direction
-
Direction
type: keyword
-
sophos.xg.auth_client
-
Auth Client
type: keyword
-
sophos.xg.auth_mechanism
-
Auth mechanism
type: keyword
-
sophos.xg.connectionname
-
Connectionname
type: keyword
-
sophos.xg.remotenetwork
-
remotenetwork
type: keyword
-
sophos.xg.localgateway
-
Localgateway
type: keyword
-
sophos.xg.localnetwork
-
Localnetwork
type: keyword
-
sophos.xg.connectiontype
-
Connectiontype
type: keyword
-
sophos.xg.oldversion
-
Oldversion
type: keyword
-
sophos.xg.newversion
-
Newversion
type: keyword
-
sophos.xg.ipaddress
-
Ipaddress
type: keyword
-
sophos.xg.client_physical_address
-
Client physical address
type: keyword
-
sophos.xg.client_host_name
-
Client host name
type: keyword
-
sophos.xg.raw_data
-
Raw data
type: keyword
-
sophos.xg.Mode
-
Mode
type: keyword
-
sophos.xg.sessionid
-
Sessionid
type: keyword
-
sophos.xg.starttime
-
Starttime
type: date
-
sophos.xg.remote_ip
-
Remote IP
type: ip
-
sophos.xg.timestamp
-
timestamp
type: date
-
sophos.xg.SysLog_SERVER_NAME
-
SysLog SERVER NAME
type: keyword
-
sophos.xg.backup_mode
-
Backup mode
type: keyword
-
sophos.xg.source
-
Source
type: keyword
-
sophos.xg.server
-
Server
type: keyword
-
sophos.xg.host
-
Host
type: keyword
-
sophos.xg.responsetime
-
Responsetime
type: long
-
sophos.xg.cookie
-
cookie
type: keyword
-
sophos.xg.querystring
-
querystring
type: keyword
-
sophos.xg.extra
-
extra
type: keyword
-
sophos.xg.PHPSESSID
-
PHPSESSID
type: keyword
-
sophos.xg.start_time
-
Start time
type: date
-
sophos.xg.eventtime
-
Event time
type: date
-
sophos.xg.red_id
-
RED ID
type: keyword
-
sophos.xg.branch_name
-
Branch Name
type: keyword
-
sophos.xg.updatedip
-
updatedip
type: ip
-
sophos.xg.idle_cpu
-
idle ##
type: float
-
sophos.xg.system_cpu
-
system
type: float
-
sophos.xg.user_cpu
-
system
type: float
-
sophos.xg.used
-
used
type: integer
-
sophos.xg.unit
-
unit
type: keyword
-
sophos.xg.total_memory
-
Total Memory
type: integer
-
sophos.xg.free
-
free
type: integer
-
sophos.xg.transmittederrors
-
transmitted errors
type: keyword
-
sophos.xg.receivederrors
-
received errors
type: keyword
-
sophos.xg.receivedkbits
-
received kbits
type: long
-
sophos.xg.transmittedkbits
-
transmitted kbits
type: long
-
sophos.xg.transmitteddrops
-
transmitted drops
type: long
-
sophos.xg.receiveddrops
-
received drops
type: long
-
sophos.xg.collisions
-
collisions
type: long
-
sophos.xg.interface
-
interface
type: keyword
-
sophos.xg.Configuration
-
Configuration
type: float
-
sophos.xg.Reports
-
Reports
type: float
-
sophos.xg.Signature
-
Signature
type: float
-
sophos.xg.Temp
-
Temp
type: float
-
sophos.xg.users
-
users
type: keyword
-
sophos.xg.ssid
-
ssid
type: keyword
-
sophos.xg.ap
-
ap
type: keyword
-
sophos.xg.clients_conn_ssid
-
clients connection ssid
type: keyword