How to ingest and Process sophos Firewall logs

[brunbrun2]

Dear all,
I'm pretty noob in Security onion and I try to ingest my FW logs.
Ever done:
First move
Configuration of the FW =>OK
It's work when the FW is set as a syslog server in SO but the log are not process.

Second move
Configure the /opt/so/saltstack/local/pillar/minions/<node>.sls files:

filebeat:
  third_party_filebeat:
    modules:
      sophos:
        xg:
          enabled: true
          var.input: udp
          var.default_host_name: <HOSTNAME>
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9005
          var.known_devices:
           - serial_number: <"MYSN">
             hostname: "MY FIREWALL"
firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          log_sources:
            portgroups:
              - portgroups.beats_custom

then so-filebeat-restart without error
Then open port
the command sudo so-firewall listports beats_custom udp give 9005 as a result.
But when I try to compile with sudo salt-call state.apply firewall

there's an error:

local:
Data failed to compile:

Rendering SLS 'base:firewall' failed: Jinja variable 'dict object' has no attribute 'log_sources'

and with the cmd sudo docker exec -i so-filebeat filebeat setup modules -pipelines -modules sophos -c /usr/share/filebeat/module-setup.yml
got Exiting: module sophos is configured but has no enabled filesets

Is anybody ever had this problem?

Thx

[brunbrun2]

Anybody can't help me?
Still have the no enabled fileset problem.
Thx

[brunbrun2]

Brand new server

After restart the procedure, I still have the problem.

Troubleshooting:
salt-call state.highstate: No errors
so-status: All services OK.
tcpdump shows traffic coming to SO on port 9015
but show this message

14:07:45.139272 IP (tos 0x0, ttl 64, id 29288, offset 0, flags [+], proto UDP (17), length 1500)
    gateway.59491 > securityonion2.9015: UDP, bad length 1562 > 1472
14:07:45.181123 IP (tos 0x0, ttl 64, id 29296, offset 0, flags [DF], proto UDP (17), length 1437)
    gateway.59491 > securityonion2.9015: [udp sum ok] UDP, length 1409

so-filebeat-restart: Succeeded:
salt-call state.apply common: Succeeded:
so-filebeat-module-setup: sophosLoaded Ingest pipelines
so-elasticsearch-pipelines-list | grep sophos show the pipelines.

I'm stuck.
Is anyone can help me qith a tips?
maybe it come from the FW configuration .

THX

[Rdago]

log_sources hostgroup seems to be missing.

Add log_sources to /opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml and try again:

 firewall:
  hostgroups:
    log_sources:
      ips:
        delete: []
        insert: [127.0.0.1, X.X.X.X/24]

reference: https://docs.securityonion.net/en/2.3/firewall.html

[brunbrun2]

Thank you, problem solved!!!
haven't note this configuatation in the help note.