Good morning ,
In my case Wazuh is receiving the logs in /var/log/sophos-xg.log ( Rsyslog) :
root@wazuh:/var/ossec/ruleset/rules# tail -f /var/log/sophos-xg.log | grep wesley
Dec 6 08:38:10 10.192.206.242 device="SFW" date=2021-12-06 time=08:38:10 timezone="-03" device_name="XG450" device_id=C4307BPTPBKHMB6 log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="wesleystaenle" src_ip=10.206.104.43 N/A message="User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism"
it even generates the events in alerts.jason :
root@wazuh:/var/ossec/ruleset/rules# tail -f /var/ossec/logs/alerts/alerts.json | grep wesley
{"timestamp":"2021-12-06T08:49:02.427-0300","rule":{"level":3,"description":"Traffic Allowed: from 10.206.104.43 to 142.251.129.234","id":"70022","firedtimes":1950109,"mail":false,"groups":["sophos-fw"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1638791342.7204340536","full_log":"Dec 6 08:49:00 10.192.206.248 device=\"SFW\" date=2021-12-06 time=08:49:00 timezone=\"-03\" device_name=\"XG310\" device_id=C32078XQ9FK92ED log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=3 nat_rule_id=0 policy_type=2 user_name=\"wesleystaenle\" user_gp=\"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt\" iap=12 ips_policy_id=2 appfilter_policy_id=9 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"LAG_LAN\" in_display_interface=\"LAG_LAN\" out_interface=\"\" out_display_interface=\"\" src_mac=00:1A:30:4C:BC:00 dst_mac=00:E0:20:AC:B5:05 src_ip=10.206.104.43 src_country_code=R1 dst_ip=142.251.129.234 dst_country_code=USA protocol=\"TCP\" src_port=54973 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip=10.192.206.248 tran_dst_port=3128 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2596541440\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0","predecoder":{"timestamp":"Dec 6 08:49:00","hostname":"10.192.206.248"},"decoder":{"name":"sophos-fw"},"data":{"protocol":"TCP","device":"SFW","date":"2021-12-06","time":"08:49:00","timezone":"-03","appfilter_policy_id":"9","application_risk":"0","appresolvedby":"Signature","connevent":"Start","connid":"2596541440","device_id":"C32078XQ9FK92ED","device_name":"XG310","dst_country_code":"USA","dst_ip":"142.251.129.234","dst_port":"443","dstzone":"WAN","dstzonetype":"WAN","duration":"0","fw_rule_id":"3","hb_health":"No Heartbeat","iap":"12","in_interface":"LAG_LAN","ips_policy_id":"2","log_component":"Firewall Rule","log_id":"010101600001","log_subtype":"Allowed","log_type":"Firewall","name":"XG310","policy_type":"2","priority":"Information","recv_bytes":"0","recv_pkts":"0","sent_bytes":"0","sent_pkts":"0","src_country_code":"R1","src_ip":"10.206.104.43","src_mac":"00:1A:30:4C:BC:00","src_port":"54973","srczone":"LAN","srczonetype":"LAN","sophos_fw_status_msg":"Allow","th":"No Heartbeat","tran_dst_ip":"10.192.206.248","tran_dst_port":"3128","tran_src_port":"0","user_gp":"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt","user_name":"wesleystaenle"},"location":"/var/log/sophos-xg.log"}
the problem is that i only view Firewall events , how could i view admin events ? how do I customize a rule for admin events?