Sophos XG Firewall

Sophos XG Firewall Integration and Logging

Blumira’s modern SIEM platform integrates with Sophos XG Firewalls to detect cybersecurity threats and provide an actionable response to remediate when a threat is detected.

When configured, the Blumira integration with Sophos XG Firewall appliance will stream security event logs to the Blumira service for threat detection and actionable response.

Learn more about enabling Blumira’s Dynamic Block Lists to block malicious source IP addresses and domains for automated threat response.

Related Integration: Sophos Central

Configuring the Syslog Server

This article provides information on how to set up the Sophos XG Firewall to send logs to Blumira’s sensor.

Start by logging into your Sophos XG Firewall and follow these steps:

Go to System Services > Log Settings and click Add to configure a syslog server.

Configure the following log settings:

Name for the syslog server like “BlumiraSensor”
IP Address of the Blumira Sensor.
Port number 514 which will communicate with the Sensor
Leave the default Facility of DAEMON, facility does not impact the Blumira Sensor generally
Select the Severity Level of Informational (you may want to move to Debug in the future, but Informational is a good starting point)
Leave the default Format of Device Standard Format
Click Save to save the new Blumira Sensor syslog server log settings

Sophos documentation on how to add a Syslog server: https://community.sophos.com/kb/en-us/123184

Specifying Logs

Next, specify which Sophos logs get sent to the Blumira sensor:

Go to System Services > Log Settings
Select all checkboxes under Syslog unless there is not a need/license for one.
Ensure that the Log Traffic option is selected in the Firewall Rule is selected, otherwise, traffic will not be logged out.