elastic · efd6 · Jan 5, 2022 · Dec 8, 2021 · Dec 8, 2021
diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.3"
+  changes:
+    - description: Fix KV splitting and syslog header handling
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2320
 - version: "1.1.2"
   changes:
     - description: Regenerate test files using the new GeoIP database

diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json
diff --git a/packages/sophos/data_stream/utm/sample_event.json b/packages/sophos/data_stream/utm/sample_event.json
@@ -1,163 +1,73 @@
 {
-    "@timestamp": "2016-02-12T13:12:33.000Z",
+    "@timestamp": "2016-01-29T06:09:59.000Z",
     "agent": {
-        "ephemeral_id": "876ca514-e738-4424-9b84-3393dcb3304c",
+        "ephemeral_id": "940686a8-4ed1-415f-bf45-45b7e42b90ef",
         "hostname": "docker-fleet-agent",
-        "id": "a3aa9dd0-f41d-4300-b7d1-4ca3c5046b96",
+        "id": "58328c6f-d43f-44a6-879a-f7e5ff9d9b02",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "7.15.0"
+        "version": "7.16.0"
     },
     "data_stream": {
         "dataset": "sophos.utm",
         "namespace": "ep",
         "type": "logs"
     },
-    "destination": {
-        "address": "ercit2385.internal.home",
-        "ip": [
-            "10.47.202.102"
-        ],
-        "mac": "01:00:5e:de:94:f6",
-        "port": 3920
-    },
     "ecs": {
         "version": "1.12.0"
     },
     "elastic_agent": {
-        "id": "a3aa9dd0-f41d-4300-b7d1-4ca3c5046b96",
-        "snapshot": true,
-        "version": "7.15.0"
+        "id": "58328c6f-d43f-44a6-879a-f7e5ff9d9b02",
+        "snapshot": false,
+        "version": "7.16.0"
     },
     "event": {
-        "action": "block",
         "agent_id_status": "verified",
-        "code": "astarosg_TVM",
+        "code": "smtpd",
         "dataset": "sophos.utm",
-        "ingested": "2021-10-26T10:45:03Z",
+        "ingested": "2021-12-16T04:39:30Z",
         "timezone": "+00:00"
     },
-    "file": {
-        "directory": "emips",
-        "extension": "qui",
-        "name": "numqu",
-        "size": 6992
-    },
-    "group": {
-        "name": "psaquae"
-    },
-    "http": {
-        "request": {
-            "referrer": "https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac"
-        }
+    "host": {
+        "name": "localhost.localdomain"
     },
     "input": {
         "type": "udp"
     },
     "log": {
-        "level": "medium",
         "source": {
-            "address": "172.19.0.4:33633"
+            "address": "192.168.128.4:48831"
         }
     },
     "observer": {
-        "egress": {
-            "interface": {
-                "name": "enp0s7084"
-            }
-        },
-        "ingress": {
-            "interface": {
-                "name": "enp0s7281"
-            }
-        },
         "product": "UTM",
         "type": "Firewall",
-        "vendor": "Sophos",
-        "version": "1.5102"
+        "vendor": "Sophos"
     },
     "process": {
-        "pid": 5716
+        "pid": 905
     },
     "related": {
         "hosts": [
-            "ercit2385.internal.home"
-        ],
-        "ip": [
-            "10.57.170.140",
-            "10.47.202.102"
-        ],
-        "user": [
-            "icistatuscode=giatquov",
-            "sunt",
-            "dexeac"
+            "localhost.localdomain"
         ]
     },
     "rsa": {
-        "db": {
-            "index": "run"
-        },
-        "identity": {
-            "logon_type": "nofdeF"
-        },
         "internal": {
-            "event_desc": "web",
-            "messageid": "astarosg_TVM"
-        },
-        "investigations": {
-            "event_cat": 1901000000,
-            "event_cat_name": "Other.Default"
-        },
-        "misc": {
-            "action": [
-                "ugiatnu",
-                "block"
-            ],
-            "comments": "colabo",
-            "content_type": "sedd",
-            "context": "apariat",
-            "group": "psaquae",
-            "group_object": "molest",
-            "node": "irati",
-            "obj_name": "uiineavocount=tisetq",
-            "obj_type": "upt",
-            "policy_id": "tat",
-            "policy_name": "iscinge",
-            "rule": "ommod",
-            "severity": "medium",
-            "version": "1.5102",
-            "vsys": "inima"
+            "event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.",
+            "messageid": "smtpd"
         },
         "network": {
-            "dinterface": "enp0s7084",
-            "host_dst": "ercit2385.internal.home",
-            "sinterface": "enp0s7281"
+            "alias_host": [
+                "localhost.localdomain"
+            ]
         },
         "time": {
-            "event_time": "2016-02-12T13:12:33.000Z"
-        },
-        "web": {
-            "web_cookie": "quirat"
+            "event_time": "2016-01-29T06:09:59.000Z"
         }
     },
-    "service": {
-        "name": "tlabo"
-    },
-    "source": {
-        "ip": [
-            "10.57.170.140"
-        ],
-        "mac": "01:00:5e:1d:c1:c0",
-        "port": 2289
-    },
     "tags": [
         "sophos-utm",
         "forwarded"
-    ],
-    "url": {
-        "original": "https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu"
-    },
-    "user": {
-        "name": "sunt"
-    }
+    ]
 }
diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log
@@ -87,3 +87,5 @@
 <30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3
 <30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2
 <30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3
+<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.128.3.4 src_country_code=ESP dst_ip=175.16.199.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=216.160.83.57 tran_src_port=0 tran_dst_ip=216.160.83.61 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
+<01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1