Source types for the Splunk Add-on for Sophos
The Splunk Add-on for Sophos provides the index-time and search-time knowledge for Sophos Endpoint Protection. Data can be received via WinEventLogs using a forwarder with Splunk Add-on for Windows, Sophos Enterprise Console Server logs using Sophos Report Interface, and syslog.
Sophos Endpoint Security application logs
The system logs of Sophos Endpoint Security, stored in Windows event logs. Collect this data using a Splunk Forwarder and Splunk Add-on for Windows.
Sophos Endpoint Security patch logs
The patching logs of Sophos Endpoint Security. Collect this data using a Splunk Forwarder and Splunk Add-on for Windows.
- Source type:
WinEventLog:SophosPatch
Sophos Endpoint Console Server Logs
Collect this data using a Splunk Forwarder and the Splunk Add-on for Sophos.
- Source type:
sophos:sec(maps to Change Analysis, Malware, Network Traffic) - Source type:
sophos:threats - Source type:
sophos:webdata - Source type:
sophos:firewall(maps to Network Traffic) - Source type:
sophos:AppControl - Source type:
sophos:devicecontrol - Source type:
sophos:tamperprotection(maps to Change Analysis) - Source type:
sophos:datacontrol - Source type:
sophos:computerdata(maps to Malware)
Sophos Endpoint Console Syslog Logs
This data may be indexed via syslog over the network using Sophos Report Interface.
- Source type:
sophos:utm:firewall(maps to Network Traffic) - Source type:
sophos:utm:ips(maps to Intrusion Detection) - Source type:
sophos:utm:ipsec(maps to Authentication, Network Sessions)
| Lookups for the Splunk Add-on for Sophos | Release notes for the Splunk Add-on for Sophos |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!