[Filebeat] Add sophos XG log samples containing new field names

[piellick]

Here is a bunch of firewall logs from sophos.

Type of change

Enhancement

What does this PR do?

Update firewall logs from sophos XG for testing.

Why is it important?

Related to PR #28932 --> [elastic/beats] [Filebeat] Sophos Module - support for changed field names

[cla-checker-service]

💚 CLA has been signed

[mergify]

This pull request does not have a backport label. Could you fix it @piellick? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-04-10T22:55:34.474+0000

• Duration: 68 min 14 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6200
Skipped	728
Total	6928

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[andrewkroh]

@piellick Thank you. Can you please sign the Contributor License Agreement (CLA). https://www.elastic.co/contributor-agreement

[andrewkroh]

What version of Sophos XG are these logs taken from?

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[piellick]

Hi @andrewkroh

What version of Sophos XG are these logs taken from?
18.5.2-MR2 build 380

@piellick Thank you. Can you please sign the Contributor License Agreement (CLA). https://www.elastic.co/contributor-agreement
Done

In meanwhile, i have found this doc who provide sample logs per log type fro 18.5.X version :
https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf
COuld be very helpfull for you.

[andrewkroh]

Indeed, that is a great resource. Thanks

[efd6]

Thanks for providing these @piellick. It looks like they have been retained in a quoted document (probably as a JSON string). Is that the case?

[piellick]

Thanks for providing these @piellick. It looks like they have been retained in a quoted document (probably as a JSON string). Is that the case?

You right @efd6 it's from an filebeat file output. It's the only source i have.

[efd6]

Great. Thanks for confirming. I will go over it and fix up some of the issues that I noticed if that's OK with you, and generate the expected output so we can merge this.

[efd6]

/test

[efd6]

/test

[efd6]

/test

[andrewkroh]

In elastic/integrations#3127 I incorporated the samples from the reference docs you pointed us to (thanks!). I didn't use the samples here b/c I think the documentation samples gives us good coverage. After the new version is out (#31388) if you still have issues let us know.

I am curious if these samples came from the Sophos Log Viewer or were directly from a device over syslog? The reason I ask is because some of the fields, like victim, are not used in the syslog format (it is target).