Sophos Endpoint is an endpoint protection product that combines antimalware, web and application control, device control and much more. This integration allows you to send logs from your Linux-based Sophos applications to your Logz.io SIEM account.
Before you begin, you’ll need:
- Sophos Intercept X Endpoint installed
- Access to the Sophos Central Cloud console
- Filebeat
- Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs
Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.
The procedure involves using the Sophos API. Make sure that the config.ini
used in the Sophos siem.py script is under format = json
(this is the default setting).
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
Open the Filebeat configuration file (/etc/filebeat/filebeat.yml
) with your preferred text editor.
Filebeat requires a file extension specified for the log input.
Copy and paste the code block below, overwriting the previous content, to replace the general configuration with the following settings:
#... Filebeat
filebeat.inputs:
- type: filestream
paths:
- <<FILE_PATH>>
fields:
token: <<LOG-SHIPPING-TOKEN>>
fields_under_root: true
json.keys_under_root: true
encoding: utf-8
ignore_older: 3h
#... Output
output:
logstash:
hosts: ["<<LISTENER-HOST>>"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
If you’re running Filebeat 7 to 8.1, paste the code block below instead:
#... Filebeat
filebeat.inputs:
- type: log
paths:
- <<FILE_PATH>>
fields:
token: <<LOG-SHIPPING-TOKEN>>
fields_under_root: true
json.keys_under_root: true
encoding: utf-8
ignore_older: 3h
#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
fields:
- from: "type"
to: "event_type"
ignore_missing: true
- add_fields:
target: ''
fields:
type: "sophos-ep"
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
- drop_event:
when:
regexp:
message: "^\\s*$"
#... Output
output:
logstash:
hosts: ["<<LISTENER-HOST>>"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Replace <<LISTENER-HOST>>
with the host for your region. For example, listener.logz.io
if your account is hosted on AWS US East, or listener-nl.logz.io
if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Replace <<LOG-SHIPPING-TOKEN>>
with the token of the account you want to ship to.
Change <<FILE_PATH>>
to the output TXT file retrieved from the Sophos siem.py script.
One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.
Start Filebeat
Start or restart Filebeat for the changes to take effect.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can search or filter for Sophos logs, under type:sophos-ep
.
If you still don’t see your logs, see Filebeat troubleshooting.
Contact support to request custom parsing assistance
The logs will require customized parsing so they can be effectively mapped in Open Search Dashboards.
Email our support to request custom parsing assistance.
Sophos Endpoint is an endpoint protection product that combines antimalware, web and application control, device control and much more. This integration allows you to send logs from your Windows-based Sophos applications to your Logz.io SIEM account.
Before you begin, you’ll need:
- Sophos Intercept X Endpoint installed
- Access to the Sophos Central Cloud console
- Filebeat 7 installed
- Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs
Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.
The procedure involves using the Sophos API. Make sure that the config.ini
used in the Sophos siem.py script is under format = json
(this is the default setting).
Download the Logz.io public certificate
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
Download the
Logz.io public certificate
to C:\ProgramData\Filebeat\Logzio.crt
on your machine.
Configure Filebeat
Open the Filebeat configuration file (C:\Program Files\Filebeat\filebeat.yml
) with your preferred text editor.
Filebeat requires a file extension specified for the log input.
Copy and paste the code block below, overwriting the previous content, to replace the general configuration with the following settings:
#... Filebeat
filebeat.inputs:
- type: log
paths:
- <<FILE_PATH>>
fields:
token: <<LOG-SHIPPING-TOKEN>>
fields_under_root: true
json.keys_under_root: true
encoding: utf-8
ignore_older: 3h
#For version 7 and higher
filebeat.registry.path: 'C:\ProgramData\Filebeat'
#The following processors are to ensure compatibility with version 7
processors:
- rename:
fields:
- from: "type"
to: "event_type"
ignore_missing: true
- add_fields:
target: ''
fields:
type: "sophos-ep"
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
- drop_event:
when:
regexp:
message: "^\\s*$"
#... Output
output:
logstash:
hosts: ["<<LISTENER-HOST>>"]
ssl:
certificate_authorities: ['C:\ProgramData\Filebeat\COMODORSADomainValidationSecureServerCA.crt']
Replace <<LISTENER-HOST>>
with the host for your region. For example, listener.logz.io
if your account is hosted on AWS US East, or listener-nl.logz.io
if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Replace <<LOG-SHIPPING-TOKEN>>
with the token of the account you want to ship to.
Change <<FILE_PATH>>
to the output TXT file retrieved from the Sophos siem.py script.
One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.
Start Filebeat
Start or restart Filebeat for the changes to take effect.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can search or filter for Sophos logs, under type:sophos-ep
.
If you still don’t see your logs, see Filebeat troubleshooting.
Contact support to request custom parsing assistance
The logs will require customized parsing so they can be effectively mapped in Open Search Dashboards.
Email our support to request custom parsing assistance.