Sophos Rules and decoders
5 views
Skip to first unread message
perps grace
Feb 20, 2026, 7:42:38 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hello,
I'm creating on Sophos decoders and rules. When I test out the decoder, it works, but the logs aren't being displayed on the dashboard. Check the details below and kindly advise on what the problem could be.
**Phase 2: Completed decoding.
name: 'sophos-custom'
destination-ip: '102.205.44.44'
device-model: 'XGS2300'
log-component: 'Firewall Rule'
protocol: 'UDP'
severity: 'Information'
source-country: 'R1'
source-ip: '192.168.3.181'
**Phase 3: Completed filtering (rules).
id: '185367'
level: '10'
description: 'ICMP Sweep access rule alert from 192.168.3.181'
groups: '["customICMP"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
I'm creating on Sophos decoders and rules. When I test out the decoder, it works, but the logs aren't being displayed on the dashboard. Check the details below and kindly advise on what the problem could be.
test log
2026-02-15T00:07:31.705159+00:00 mail.abc.com device_name="C240777JYDX4V72" timestamp="2026-02-15T03:07:31+0300" device_model="XGS2300" device_serial_id="X230228634MR9BD" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" fw_rule_name="LAN-TO-WAN" fw_rule_section="Local rule" nat_rule_id="2" nat_rule_name="Default SNAT IPv4" fw_rule_type="USER" gw_id_request=3 gw_name_request="PPP-DATA-FIBER" sdwan_route_id_request=2 sdwan_route_name_request="Primary-Internet-Access" web_policy_id=14 app_filter_policy_id=8 app_name="Network Time Protocol" app_risk=1 app_technology="Browser Based" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="PortF1" src_mac="00:B8:B3:B7:6E:C1" dst_mac="A8:91:62:13:66:61" src_ip="192.168.3.181" src_country="R1" dst_ip="102.205.4.4" dst_country="NGA" protocol="UDP" src_port=46506 dst_port=123 src_trans_ip="43.2.4.700" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="730796535" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="PortF1" log_occurrence="1"
decoder thats now fetching some fields
<decoder name="sophos-custom">
<prematch>device_name</prematch>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>device_model="(\w+)"</regex>
<order>device-model</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>log_component="(\.+)"</regex>
<order>log-component</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>severity="(\w+)"</regex>
<order>severity</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>src_ip="(\d+\p\d+\p\d+\p\d+)"</regex>
<order>source-ip</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>src_country="(\w+)"</regex>
<order>source-country</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>dst_ip="(\d+\p\d+\p\d+\p\d+)"</regex>
<order>destination-ip</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>protocol="(\w+)"</regex>
<order>protocol</order>
</decoder>
Results/output
**Phase 2: Completed decoding.
name: 'sophos-custom'
destination-ip: '102.2.4.4'
device-model: 'XGS2300'
log-component: 'Firewall Rule'
protocol: 'UDP'
severity: 'Information'
source-country: 'R1'
source-ip: '192.168.3.181'
**Phase 3: Completed filtering (rules).
id: '185367'
level: '10'
description: 'ICMP Sweep access rule alert from 192.168.3.181'
groups: '["customICMP"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
Rule that's fetching some fields
<group name="custom">
<rule id="185367" level="10">
<decoded_as>sophos-custom</decoded_as>
<description>ICMP Sweep access rule alert from $(source-ip)</description>
<group>ICMP</group>
</rule>
</group>
Results/output
2026-02-15T00:07:31.705159+00:00 mail.abc.com device_name="C240777JYDX4V72" timestamp="2026-02-15T03:07:31+0300" device_model="XGS2300" device_serial_id="X230228634MR9BD" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="16" fw_rule_name="LAN-TO-WAN" fw_rule_section="Local rule" nat_rule_id="2" nat_rule_name="Default SNAT IPv4" fw_rule_type="USER" gw_id_request=3 gw_name_request="PPP-DATA-FIBER" sdwan_route_id_request=2 sdwan_route_name_request="Primary-Internet-Access" web_policy_id=14 app_filter_policy_id=8 app_name="Network Time Protocol" app_risk=1 app_technology="Browser Based" app_category="Infrastructure" ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="PortF1" src_mac="00:B8:B3:B7:6E:C1" dst_mac="A8:91:62:13:66:61" src_ip="192.168.3.181" src_country="R1" dst_ip="102.205.4.4" dst_country="NGA" protocol="UDP" src_port=46506 dst_port=123 src_trans_ip="43.2.4.700" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="730796535" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="PortF1" log_occurrence="1"
decoder thats now fetching some fields
<decoder name="sophos-custom">
<prematch>device_name</prematch>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>device_model="(\w+)"</regex>
<order>device-model</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>log_component="(\.+)"</regex>
<order>log-component</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>severity="(\w+)"</regex>
<order>severity</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>src_ip="(\d+\p\d+\p\d+\p\d+)"</regex>
<order>source-ip</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>src_country="(\w+)"</regex>
<order>source-country</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>dst_ip="(\d+\p\d+\p\d+\p\d+)"</regex>
<order>destination-ip</order>
</decoder>
<decoder name="sophos-custom-child">
<parent>sophos-custom</parent>
<regex>protocol="(\w+)"</regex>
<order>protocol</order>
</decoder>
Results/output
**Phase 2: Completed decoding.
name: 'sophos-custom'
destination-ip: '102.2.4.4'
device-model: 'XGS2300'
log-component: 'Firewall Rule'
protocol: 'UDP'
severity: 'Information'
source-country: 'R1'
source-ip: '192.168.3.181'
**Phase 3: Completed filtering (rules).
id: '185367'
level: '10'
description: 'ICMP Sweep access rule alert from 192.168.3.181'
groups: '["customICMP"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
Rule that's fetching some fields
<group name="custom">
<rule id="185367" level="10">
<decoded_as>sophos-custom</decoded_as>
<description>ICMP Sweep access rule alert from $(source-ip)</description>
<group>ICMP</group>
</rule>
</group>
Results/output
**Phase 2: Completed decoding.
name: 'sophos-custom'
destination-ip: '102.205.44.44'
device-model: 'XGS2300'
log-component: 'Firewall Rule'
protocol: 'UDP'
severity: 'Information'
source-country: 'R1'
source-ip: '192.168.3.181'
**Phase 3: Completed filtering (rules).
id: '185367'
level: '10'
description: 'ICMP Sweep access rule alert from 192.168.3.181'
groups: '["customICMP"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
Md. Nazmur Sakib
Feb 20, 2026, 8:45:19 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hello,
I was able to trigger alerts with your log, decoder, and rule.
So there can be two possible reasons you are not seeing this alert in the dashboard.
One can be that the log format you are using to test is different than the actual log format your manager is receiving from your Sophos device.
You can confirm if your manager is able to trigger an alert for your rules and decoder by checking the alerts.json file.
cat /var/ossec/logs/alerts/alerts.json | grep "185367"
If you do not find an alert with this command, that means either your Wazuh manager is not receiving logs or the log format the manager is receiving does not match the decoders and the rules.
If you receive an alert in alerts.json for rule ID 185367, you still do not get an alert in the Dashbaord it can be related to a filebeat mapping issue or an issue with the indexer.
Check the filebeat logs to find if there is any mapping error
cat /var/log/filebeat/filebeat* | grep -iE 'WARN|ERROR'
Let me know your findings, so that I can guide you with what we can do next to resolve this.
I was able to trigger alerts with your log, decoder, and rule.
So there can be two possible reasons you are not seeing this alert in the dashboard.One can be that the log format you are using to test is different than the actual log format your manager is receiving from your Sophos device.
You can confirm if your manager is able to trigger an alert for your rules and decoder by checking the alerts.json file.
cat /var/ossec/logs/alerts/alerts.json | grep "185367"
If you do not find an alert with this command, that means either your Wazuh manager is not receiving logs or the log format the manager is receiving does not match the decoders and the rules.
If you receive an alert in alerts.json for rule ID 185367, you still do not get an alert in the Dashbaord it can be related to a filebeat mapping issue or an issue with the indexer.
Check the filebeat logs to find if there is any mapping error
cat /var/log/filebeat/filebeat* | grep -iE 'WARN|ERROR'
Let me know your findings, so that I can guide you with what we can do next to resolve this.
Reply all
Reply to author
Forward
0 new messages