From 6fcc3caa41d3f8dfeb3e0ca0dcaa77cec6c16e0c Mon Sep 17 00:00:00 2001
From: Mikael Bjerkeland <mikael@bjerkeland.com>
Date: Tue, 5 Sep 2023 13:54:57 +0200
Subject: [PATCH] fix : match for Sophos XG Firewall that has device_name=SFW
 instead of device=SFW (#2160)

---
 .../conf.d/conflib/syslog/app-syslog-sophos_firewall_xg.conf   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-sophos_firewall_xg.conf b/package/etc/conf.d/conflib/syslog/app-syslog-sophos_firewall_xg.conf
index c835f6cf9e..c1c32eefa4 100644
--- a/package/etc/conf.d/conflib/syslog/app-syslog-sophos_firewall_xg.conf
+++ b/package/etc/conf.d/conflib/syslog/app-syslog-sophos_firewall_xg.conf
@@ -121,7 +121,8 @@ block parser app-syslog-sophos_firewall_xg() {
 application app-syslog-sophos_firewall_xg[sc4s-syslog] {
     filter {
         (
-            message("device=\"SFW\"" type(string) flags(substring)) and
+            message("device=\"SFW\"" type(string) flags(substring)) or
+            message("device_name=\"SFW\"" type(string) flags(substring)) and
             message("log_type=" type(string) flags(substring))
         );
     };