Following worked for me, installed LogWriter, let it run with account that has privileges to read SEC, the below config pulls some selected events from Sophos predefined views and exports it to a folder - which is configured as a CIFS share, from where it can be pulled by Splunk. I am not aware of Sophos being capable of sending a syslog - as one of the comments here mentions:
SophosLogWriterConfig.xml
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="ADDtheURLfromManualHereIhavelowKarmaToAddLinks">
<connection>
<connectionString>
Integrated Security=SSPI;
Persist Security Info=False;
Initial Catalog=SOPHOS52;
Data Source=sophosHost.domain.suffix
</connectionString>
<commandTimeout>
120
</commandTimeout>
</connection>
<noOfDays>10</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<!-- 1 feed per logfile-->
<datafeed>
<!-- Poll time in seconds -->
<tick> 60 </tick>
<!-- prepend each line with a timestamp -->
<applyLogFormat> 1 </applyLogFormat>
<logFile logType="LogFile">
<!-- Splunk to read only file that ends with a digit -->
<!-- Files without suffix will be a live write -->
<!-- Splunk has to read the 1MB file before it rolls over -->
<noOfBackupFiles> 1 </noOfBackupFiles>
<fileSize>1Mb</fileSize>
<!-- this folder has to be available to Splunk for reading i.e. shared-->
<outputLocation>C:\FolderNameForSophosLogs\</outputLocation>
<!-- a space before the name caused issue for me so leave none-->
<outputFilename>sophosLogFile.log</outputFilename>
</logFile>
<!-- several calls can be made per 1 log file, 1 per table -->
<!-- each call needs a unique tracking ID-->
<!-- THREATS -->
<call callID="DefaultThreats">
<!-- defined data source/table name -->
<dataSource>ThreatEventData</dataSource>
<!-- can specify exactly which fields to collect -->
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<!-- config for this call -->
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
<!-- THREAT INSTANCES -->
<call callID="DefaultInstances">
<!-- defined data source/table name -->
<dataSource>ThreatInstances</dataSource>
<!-- can specify exactly which fields to collect -->
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<!-- config for this call -->
<dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
</call>
<!-- FIREWALL EVENTS -->
<call callID="DefaultFirewallEvents">
<!-- defined data source/table name -->
<dataSource>EventsFirewallData</dataSource>
<!-- can specify exactly which fields to collect -->
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<!-- config for this call -->
<dataConfigurationFile>Firewall.config</dataConfigurationFile>
</call>
<!-- STANDARD EVENTS -->
<call callID="DefaultCommonEvents">
<!-- defined data source/table name -->
<dataSource>EventsCommonData</dataSource>
<!-- can specify exactly which fields to collect -->
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<!-- config for this call -->
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call> </datafeed>
</datafeeds>
</SophosDatafeed>
... View more