Sophos Endpoint is an endpoint protection product that combines antimalware, web and application control, device control and much more. This integration allows you to send logs from your Linux-based Sophos applications to your Logz.io SIEM account.

Before you begin, you’ll need:

  • Sophos Intercept X Endpoint installed
  • Access to the Sophos Central Cloud console
  • Filebeat
  • Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs

Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.

The procedure involves using the Sophos API. Make sure that the config.ini used in the Sophos siem.py script is under format = json (this is the default setting).

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.

Filebeat requires a file extension specified for the log input.

Copy and paste the code block below, overwriting the previous content, to replace the general configuration with the following settings:

#... Filebeat
filebeat.inputs:
- type: filestream
  paths:
    - <<FILE_PATH>>
  fields:
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#... Output
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

If you’re running Filebeat 7 to 8.1, paste the code block below instead:

#... Filebeat
filebeat.inputs:
- type: log
  paths:
    - <<FILE_PATH>>
  fields:
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "type"
       to: "event_type"
    ignore_missing: true
- add_fields:
    target: ''
    fields:
      type: "sophos-ep"
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
- drop_event:
    when:
      regexp:
        message: "^\\s*$"
#... Output
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Change <<FILE_PATH>> to the output TXT file retrieved from the Sophos siem.py script.

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can search or filter for Sophos logs, under type:sophos-ep.

If you still don’t see your logs, see Filebeat troubleshooting.

Contact support to request custom parsing assistance

The logs will require customized parsing so they can be effectively mapped in Open Search Dashboards.

Email our support to request custom parsing assistance.

Sophos Endpoint is an endpoint protection product that combines antimalware, web and application control, device control and much more. This integration allows you to send logs from your Windows-based Sophos applications to your Logz.io SIEM account.

Before you begin, you’ll need:

  • Sophos Intercept X Endpoint installed
  • Access to the Sophos Central Cloud console
  • Filebeat 7 installed
  • Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs

Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.

The procedure involves using the Sophos API. Make sure that the config.ini used in the Sophos siem.py script is under format = json (this is the default setting).

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

Download the Logz.io public certificate to C:\ProgramData\Filebeat\Logzio.crt on your machine.

Configure Filebeat

Open the Filebeat configuration file (C:\Program Files\Filebeat\filebeat.yml) with your preferred text editor.

Filebeat requires a file extension specified for the log input.

Copy and paste the code block below, overwriting the previous content, to replace the general configuration with the following settings:

#... Filebeat
filebeat.inputs:
- type: log
  paths:
    - <<FILE_PATH>>
  fields:
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#For version 7 and higher
filebeat.registry.path: 'C:\ProgramData\Filebeat'
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "type"
       to: "event_type"
    ignore_missing: true
- add_fields:
    target: ''
    fields:
      type: "sophos-ep"
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
- drop_event:
    when:
      regexp:
        message: "^\\s*$"
#... Output
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>"]
    ssl:
      certificate_authorities: ['C:\ProgramData\Filebeat\COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Change <<FILE_PATH>> to the output TXT file retrieved from the Sophos siem.py script.

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can search or filter for Sophos logs, under type:sophos-ep.

If you still don’t see your logs, see Filebeat troubleshooting.

Contact support to request custom parsing assistance

The logs will require customized parsing so they can be effectively mapped in Open Search Dashboards.

Email our support to request custom parsing assistance.