rsyslog mutiple logfiles in %msg%

Question

I have set up a rsyslog-server to receive firewall logs from a Sophos XGS4300 over TLS.

The connection is working fine and I am receiving logfiles from the firewall. BUT in a single (syslog) message (%msg%) I receive many logs different logs (up to around 20-30) concatenated. That makes processing the logs extremely hard (my goal is to forward the logs to a SIEM). The logs are separated by the delimiter #000<30>.

I have tried to implement some logic to separate to logs but without luck. Does anyone have a idea how I can achieve the separation of my log files? Or does anyone have a idea why i receive concatenated logfiles from the firewall? For me it does not make any sense that there are concatenated and there is no easy solution to separate them again with rsyslog.

rsyslog-configfile:

$DebugFile /var/log/rsyslog.debug
$DebugLevel 2
module(load="mmnormalize")
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca/sophos-default.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/bundle.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem"
)

  # load TCP listener
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="x509/certvalid"
  )

  # start up listener at port 6514
input(
  type="imtcp"
  port="6514"
 )

if ($inputname == "imtcp") then /var/log/rsyslog/sophos.log

example %msg%:

2024-09-25T10:46:29.312241+00:00 10-1-212-232.ingress-3.ingress.svc.cluster.local 0>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="Port1" out_interface="Port2" src_mac="XXXXXX" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Internal" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="Port1" out_interface="Port2" src_mac="XXXXXX" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Internal" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="Port1" out_interface="Port2" src_mac="XXXXXX" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Internal" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="91" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="28" nat_rule_name="XXXXXX" fw_rule_type="USER" web_policy_id=2 ether_type="IPv4 (0x0800)" out_interface="Port2" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="TCP" src_port=57506 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="Port1" out_interface="Port2" src_mac="XXXXXX" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Internal" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" user_name="XXXXXX" user_group="XXXXXX" ether_type="IPv4 (0x0800)" in_interface="XXXXXX" out_interface="Port2" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="XXXXXX" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="91" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" web_policy_id=2 ether_type="IPv4 (0x0800)" out_interface="Port1" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="TCP" src_port=60124 dst_port=7074 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" out_display_interface="Internal" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" user_name="XXXXXX" user_group="XXXXXX" ether_type="IPv4 (0x0800)" in_interface="tun4" out_interface="Port2" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="tun4" out_display_interface="XXXXXX" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="91" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="28" nat_rule_name="XXXXXX" fw_rule_type="USER" web_policy_id=2 ether_type="IPv4 (0x0800)" out_interface="Port1" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="TCP" src_port=60090 dst_port=7074 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" out_display_interface="Internal" log_occurrence="1"#000<30>device_name="SFW" timestamp="2024-09-25T12:46:29+0200" device_model="XGS4300" device_serial_id="XXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="112" fw_rule_name="XXXXXX" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="USER" ether_type="IPv4 (0x0800)" in_interface="Port1" out_interface="Port2" src_mac="XXXXXX" src_ip="XXXXXX" src_country="XXXXXX" dst_ip="XXXXXX" dst_country="XXXXXX" protocol="ICMP" icmp_type=8 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Internal" out_display_interface="XXXXXX" log_occurrence="1"#000<30>....

Answer 1

I am not familiar with Sophos firewalls, but according to the SFOS 18.5 documentation, it supports syslog in RFC 5424 format. While this information is only mentioned for this version, it’s likely that this hasn't changed for newer versions, as RFC 5424 is the latest syslog standard.

Since you haven't defined a template in your rsyslog configuration, rsyslog defaults to processing logs in RFC 3164 format. To ensure rsyslog processes the logs in RFC 5424 format, you can use the built-in template RSYSLOG_SyslogProtocol23Format.

if ($inputname == "imtcp") then {
    action(type="omfile" file="/var/log/rsyslog/sophos.log" template="RSYSLOG_SyslogProtocol23Format")
}

Additionally, it's worth checking whether the Sophos firewall is performing any kind of log batching, where it sends multiple logs in a single syslog frame.