Hello everyone,
I have been working on integrating Sophos XG into ArcSight, I am using Syslog to send the events over to ArcSight and have parsed all events but There is one specific event that seems to have a bug when Sophos XG syslog sends it. Below is an example of the log message.
====================================
<29> device="SFW" date=2017-03-30 time=12:54:27 timezone="EDT" device_name="SFVH" device_id=XXXXXXXXX log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Failed" priority=Notice host=vpn.DOMAIN.ca updatedip=0.0.0.0 reason="Unknown Error" message="DDNS update for host vpn.DOMAIN.ca was Failed. Last Updated with IP: 0.0.0.0.Failure Reason: Unknown Error
"
====================================
As you can see at the end the last " is on a new line, This makes it difficult to parse as no other Sophos XG log has the " on a new line.
This thread was automatically locked due to age.