I've been using the previous now deprecated Sophos App for Splunk and have seen the pages for the two new apps. Because the previous version only involved 1 app, it was easy to install and contained documentation for setup. Is there any additional complexity with the new apps? Where is the app and add-on supposed to be installed? Is there any documentation provided/setup?
Thanks in advance!
In a distributed deployment, install the Splunk Add-on for Sophos to your search heads, indexers, and forwarders.
refer below document for detailed information on Splunk Add-on for Sophos-
Go through all topics on left side like Overview, Installation and Configuration etc.
Thanks for the reply. Unfortunately, this is not the version I was asking about, so my apologies for not being clear. Below are the links for the app & add-on in question:
The deprecated version in question was: https://splunkbase.splunk.com/app/3612/
The app should be configured on the Search head and the add-on, which will do your API calls for data inputs, could be on the search head as well unless you are using Splunk Cloud. Then you should have a separate box for the add-on, ideally a HF.
I'm not cloud, but i do run over 150 UF's with a deployment manager. I wasn't sure if I needed to install this on all my UF's (endpoints) or if this is unwarranted since its just querying Sophos for the info.
I dont believe so. You should be able to install it on your search head and configure the add-on/data inputs there (as long as you're not in a clustered search head env)
HI, We are in the same situation I have Sophos Central and i have installed the Addon app and the Sophos App and I have configured the Add on in the inputs with the API info is there any other settings I need to setup to get this to work?