Configure Sophos Enterprise Console to produce syslog data for the Splunk Add-on for Sophos
The Splunk Add-on for Sophos can collect threat and operational event data from a Sophos Enterprise Console server by using a universal forwarder or by receiving the data over syslog. To use syslog over the network, install Sophos Reporting Interface and Sophos Reporting Log Writer on the Sophos Enterprise Console (SEC) server.
Note: This step is not necessary if you want to collect this data locally using a forwarder installed directly on the Sophos Enterprise Console.
Sophos does not log to disk by default. To configure Sophos to log to disk you must install the Sophos Reporting Interface and the Sophos Reporting Log Writer. See http://www.sophos.com/en-us/support/documentation/reporting-log-writer.aspx for more information.
For installation instructions, please refer to the Sophos website.
Install the Splunk Add-on for Sophos
Configure inputs for the Splunk Add-on for Sophos
This documentation applies to the following versions of Splunk® Supported Add-ons: released