I'm trying to get the Splunk Add-on for Sophos to work with CIM.
The inputs are working fine as the following is returning a result
sourcetype="sophos:threats"
With the tags:
application, endpoint, error
There are several events with the ThreatType=Viruses/spyware
eg (sanitised):
InsertedAt=2015-09-02 11:11:47; EventID=1000478; EventTime=2015-09-02 11:11:45; ActionTakenID=116; ActionTaken=Blocked; UserName=xxx; ScannerTypeID=200; ScannerType=Unknown; StatusID=300; Status=Cleanable; ThreatTypeID=1; ThreatType=Viruses/spyware; ThreatName=Mal/Generic-S; FullFilePath=xxx; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x
However, none of the events returned are tagged as 'malware' (including the Eicar test string). As a result, CIM validation-Malware does not pick anything up.
Thanks in advance.
In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.
In order to tag the events to 'Malware', the add-on looks at the EventType field (not to confuse it with Splunk eventtype). If it is set to EventType="Viruses/spyware" then the tagging happens. Quick workaround for you is to define the tag and eventtypes in eventtypes.conf and tag.conf files. In the meantime, would you please let us know what version of Sophos you are using? curious why you do not have an EventType field in the raw data.
@ehaddad,
Makes sense, thanks for that.
The reason why it's not logging is that the log being fed into splunk is the Sophos Log writer 'DefaultThreats' log where EventType is not being logged.
I'm not using the splunk forwarder, that's another story. The logs are coming from the Sophos logwriter:
http://docs.splunk.com/Documentation/AddOns/latest/Sophos/ConfigureSophosEnterprise
The version of the apps are Sophos Enterprise console v5.2.1R2, Sophos Log Writer 5.1
The next challenge is to configure the Sophos Log Writer to log data that can be used for Splunk.