Hi All
I am currently gathering logs from Sophos Enterprise Console 5.1 using the Sophos Reporting Log Writer.
I have installed Splunk_TA_sophos on the Universal Forwarder and Indexer.
Sophos is collecting 2 types logs - DefaultCommonEvents and DefaultThreats
Based on these types of logs, what are the appropriate sourcetypes that I should apply?
This is from SophosLogWriterConfig file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
This is from default inputs.conf file
[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://<SEC_LOG_PATH>\Threats.log]
disabled = 1
sourcetype=sophos:threats
[monitor://<SEC_LOG_PATH>\WebData.log]
disabled = 1
sourcetype=sophos:webdata
[monitor://<SEC_LOG_PATH>\Firewall*.txt]
disabled = 1
sourcetype=sophos:firewall
[monitor://<SEC_LOG_PATH>\AppControl.log]
disabled = 1
sourcetype=sophos:AppControl
[monitor://<SEC_LOG_PATH>\DeviceControl.txt]
disabled = 1
sourcetype=sophos:devicecontrol
[monitor://<SEC_LOG_PATH>\TamperProtection.log]
disabled = 1
sourcetype=sophos:tamperprotection
[monitor://<SEC_LOG_PATH>\DataControl.txt]
disabled = 1
sourcetype=sophos:datacontrol
[monitor://<SEC_LOG_PATH>\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata
Could someone advise which sourcetypes are most appropriate for DefaultCommonEvents and DefaultThreats
After a bit of experimentation, I believe the following should be correct...
The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.
Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.
Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)
sophos:sec (maps to Change Analysis, Malware, Network Traffic)
Complete Inputs.conf located on the Universal Forwarder
[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats
[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall
[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata
Complete SophosLogWriterConfig.config file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>AppControl.log</outputFilename>
</logFile>
<call callID="ApplicationControl">
<dataSource>EventsApplicationControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DataControl.log</outputFilename>
</logFile>
<call callID="DataControl">
<dataSource>EventsDataControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DataControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DeviceControl.log</outputFilename>
</logFile>
<call callID="DeviceControl">
<dataSource>EventsDeviceControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>Firewall.log</outputFilename>
</logFile>
<call callID="Firewall">
<dataSource>EventsFirewallData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Firewall.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>TamperProtection.log</outputFilename>
</logFile>
<call callID="TamperProtection">
<dataSource>EventsTamperProtectionData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>WebData.log</outputFilename>
</logFile>
<call callID="WebData">
<dataSource>EventsWebData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Web.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>ComputerData.log</outputFilename>
</logFile>
<call callID="ThreatInstances">
<dataSource>ThreatInstances</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
After a bit of experimentation, I believe the following should be correct...
The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.
Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.
Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)
sophos:sec (maps to Change Analysis, Malware, Network Traffic)
Complete Inputs.conf located on the Universal Forwarder
[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats
[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall
[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata
Complete SophosLogWriterConfig.config file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>AppControl.log</outputFilename>
</logFile>
<call callID="ApplicationControl">
<dataSource>EventsApplicationControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DataControl.log</outputFilename>
</logFile>
<call callID="DataControl">
<dataSource>EventsDataControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DataControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DeviceControl.log</outputFilename>
</logFile>
<call callID="DeviceControl">
<dataSource>EventsDeviceControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>Firewall.log</outputFilename>
</logFile>
<call callID="Firewall">
<dataSource>EventsFirewallData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Firewall.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>TamperProtection.log</outputFilename>
</logFile>
<call callID="TamperProtection">
<dataSource>EventsTamperProtectionData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>WebData.log</outputFilename>
</logFile>
<call callID="WebData">
<dataSource>EventsWebData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Web.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>ComputerData.log</outputFilename>
</logFile>
<call callID="ThreatInstances">
<dataSource>ThreatInstances</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
Hope you have seen these docs. http://downloads.sophos.com/readmes/srlw_51_rneng.html and http://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise . If you have pulled the files to the server where Splunk UF and TA is installed, I would configure the local/inputs.conf with all the above enabled and point to your files as appropriate in dev and and adjust/change as needed. we generally look at threat data.
Hi @lakshman239, thanks for your reply.
I have followed the instructions in both the linked documents.
What is not clear to me is how LogWiter data sources match to the Splunk_TA_sophos sourcetypes
Based on the below data I'd assume that DefaultThreats maps to sophos:threats but I have no idea what would be appropriate for DefaultCommonEvents
Sophos LogWiter data sources
A. EventsApplicationControlData
B. EventsCommonData
C. EventsDataControlData
D. EventsDeviceControlData (added new data fields)
E. EventsFirewallData
F. EventsTamperProtectionData
G. EventsWebData (added new data fields)
H. ThreatEventData
I. ThreatInstances
Splunk_TA_sophos sourcetypes
A. sophos:sec (maps to Change Analysis, Malware, Network Traffic)
B. sophos:threats
C. sophos:webdata
D. sophos:firewall (maps to Network Traffic)
E. sophos:AppControl
F. sophos:devicecontrol
G. sophos:tamperprotection (maps to Change Analysis)
H. sophos:datacontrol
I. sophos:computerdata (maps to Malware)