Splunk® Supported Add-ons

Splunk Add-on for Sophos

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for Sophos

To configure the inputs for the Splunk Add-on for Sophos, enable the desired stanzas in a local copy of inputs.conf on the forwarder installed on the Sophos Enterprise Console server.

Sophos Endpoint Security application logs

The add-on collects system logs of Sophos Endpoint Security, stored in Windows event logs, using the Splunk Add-on for Windows.

There is nothing to configure in this add-on for these logs.

Sophos Endpoint Security patch logs

The add-on collects Sophos Endpoint Security patching logs using the Splunk Add-on for Windows.

To enable Sophos patch status monitoring, copy the first stanza in %SPLUNK_HOME%\etc\apps\Splunk_TA_sophos\default\inputs.conf to %SPLUNK_HOME%\etc\apps\Splunk_TA_sophos\local\inputs.conf and enable the [WinEventLog://Sophos Patch] stanza by changing disabled = 1 to disabled = 0.

Sophos Endpoint Console server logs

The add-on collects Sophos Endpoint Console server logs through monitor inputs.

Copy the all the monitor stanzas from %SPLUNK_HOME%\etc\apps\Splunk_TA_sophos\default\inputs.conf to %SPLUNK_HOME%\etc\apps\Splunk_TA_sophos\local\inputs.conf and enable the desired stanzas by changing disabled = 1 to disabled = 0. In each stanza, replace <SEC_LOG_PATH> with the path of the log files on the Sophos Enterprise Console.

Sophos Endpoint Console Syslog Logs

You can configure these logs to push via syslog over the network using Sophos Report Interface or by monitoring the SEC server log as with the server logs above. If you are monitoring the log files directly, set the source type to sophos:sec.

If you are pushing data via syslog, create an inputs.conf stanza in your syslog collector for these source types:

  • sophos:utm:firewall
  • sophos:utm:ips
  • sophos:utm:ipsec

For example, your stanza for sophos:utm:firewall might look like this. 

  [udp:23514]
  sourcetype=sophos:utm:firewall

If you are monitoring the log files directly, set the source type to sophos:sec.

Note: When collecting syslog, a best practice is to use a 3rd party aggregator (e.g. rsyslog or syslog-ng) for improved fault tolerance and scalability.

Last modified on 20 November, 2020
PREVIOUS
Configure Sophos Enterprise Console to produce syslog data for the Splunk Add-on for Sophos 		  NEXT
Troubleshoot the Splunk Add-on for Sophos

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters