- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Sophos events not "sourcetyped" according to input...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sophos events not "sourcetyped" according to inputs.conf
Hello to the community!
I am trying to index Sophos events into Splunk but I am facing a problem. I have set up the XML file of the Sophos Reporting Interface, I have all the logs exported to a folder monitored by Splunk forwarder, but I cannot force the sourcetypes to get mapped according to this article: http://docs.splunk.com/Documentation/AddOns/latest/Sophos/Configureinputs.
I have edited inputs.conf and transforms.conf but no luck till now. I get the sourcetypes of:
DefaultCommonEvents-2 7 46.667%
AppControl-too_small 5 33.333%
DefaultThreats-2 2 13.333%
ThreatInstances-too_small 1 6.667%
My inputs.conf:
[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ThreatInstances.log]
disabled = 0
sourcetype=sophos:threats
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\Firewall.txt]
disabled = 0
sourcetype=sophos:firewall
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DeviceControl.txt]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DataControl.txt]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata
And props.conf:
[host::uni-sepm-01]
TRANSFORMS-force_sourcetype = all_sourcetype_sec
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\ThreatInstances.log]
TRANSFORMS-force_sourcetype = all_sourcetype_sec
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\WebData.log]
sourcetype = sophos:webdata
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\Firewall.txt]
sourcetype = sophos:firewall
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\AppControl.log]
sourcetype = sophos:appcontrol
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DeviceControl.txt]
sourcetype = sophos:devicecontrol
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\TamperProtection.log]
sourcetype = sophos:tamperprotection
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DataControl.txt]
sourcetype = sophos:datacontrol
[source::...ComputerData.sophos]
sourcetype = sophos:computerdata
And finally quoting relevant path of transforms.conf:
# Force all data to sourcetype, useful under a host:: stanza in props.conf
[all_sourcetype_sec]
DEST_KEY = MetaData:Sourcetype
REGEX = (.)
FORMAT = sourcetype::sophos:sec
Can anyone help?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some of your inputs are disabled, and old data isn't changeable. Enable the inputs and try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you are getting new data after all? Good.
Where did you configure the props and transforms? It should live on the indexers and heavy forwarders, a universal forwarder won't apply these. Make sure to restart the instance after any changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All of them are on the indexer, on the local folder of the Splunk_TA_sophos app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without new data you won't be able to see if your sourcetype configuration is working or not, only new data will use it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New data is being forwarded all the time, by the forwarder. But the sourcetypes do not change...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is any new data coming in?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nothing new was indexed.
Forgot to mention that I have two sources for Sophos addon:
1. SYSLOG/UDP 514 for Sophos UTM appliances.
2. Sophos Enterprise Console with Splunk forwarder.
For the first I have set on props.conf:
[source::udp:514]
TRANSFORMS-force_sourcetype = force_sourcetype_for_utm_firewall,force_sourcetype_for_utm_ips,force_sourcetype_for_utm_ipsec, force_sourcetype_for_utm_httpproxy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enable everything in inputs.conf even I don't have such data?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
