Hello to the community!
I am trying to index Sophos events into Splunk but I am facing a problem. I have set up the XML file of the Sophos Reporting Interface, I have all the logs exported to a folder monitored by Splunk forwarder, but I cannot force the sourcetypes to get mapped according to this article: http://docs.splunk.com/Documentation/AddOns/latest/Sophos/Configureinputs.
I have edited inputs.conf and transforms.conf but no luck till now. I get the sourcetypes of:
DefaultCommonEvents-2 7 46.667%
AppControl-too_small 5 33.333%
DefaultThreats-2 2 13.333%
ThreatInstances-too_small 1 6.667%
My inputs.conf:
[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ThreatInstances.log]
disabled = 0
sourcetype=sophos:threats
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\Firewall.txt]
disabled = 0
sourcetype=sophos:firewall
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DeviceControl.txt]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DataControl.txt]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata
And props.conf:
[host::uni-sepm-01]
TRANSFORMS-force_sourcetype = all_sourcetype_sec
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\ThreatInstances.log]
TRANSFORMS-force_sourcetype = all_sourcetype_sec
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\WebData.log]
sourcetype = sophos:webdata
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\Firewall.txt]
sourcetype = sophos:firewall
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\AppControl.log]
sourcetype = sophos:appcontrol
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DeviceControl.txt]
sourcetype = sophos:devicecontrol
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\TamperProtection.log]
sourcetype = sophos:tamperprotection
[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DataControl.txt]
sourcetype = sophos:datacontrol
[source::...ComputerData.sophos]
sourcetype = sophos:computerdata
And finally quoting relevant path of transforms.conf:
# Force all data to sourcetype, useful under a host:: stanza in props.conf
[all_sourcetype_sec]
DEST_KEY = MetaData:Sourcetype
REGEX = (.)
FORMAT = sourcetype::sophos:sec
Can anyone help?
Thanks in advance!
Some of your inputs are disabled, and old data isn't changeable. Enable the inputs and try again.
So you are getting new data after all? Good.
Where did you configure the props and transforms? It should live on the indexers and heavy forwarders, a universal forwarder won't apply these. Make sure to restart the instance after any changes.
All of them are on the indexer, on the local folder of the Splunk_TA_sophos app.
Without new data you won't be able to see if your sourcetype configuration is working or not, only new data will use it.
New data is being forwarded all the time, by the forwarder. But the sourcetypes do not change...
Is any new data coming in?
Nothing new was indexed.
Forgot to mention that I have two sources for Sophos addon:
1. SYSLOG/UDP 514 for Sophos UTM appliances.
2. Sophos Enterprise Console with Splunk forwarder.
For the first I have set on props.conf:
[source::udp:514]
TRANSFORMS-force_sourcetype = force_sourcetype_for_utm_firewall,force_sourcetype_for_utm_ips,force_sourcetype_for_utm_ipsec, force_sourcetype_for_utm_httpproxy
Enable everything in inputs.conf even I don't have such data?