All Apps and Add-ons

Sophos events not "sourcetyped" according to inputs.conf

Communicator

Hello to the community!

I am trying to index Sophos events into Splunk but I am facing a problem. I have set up the XML file of the Sophos Reporting Interface, I have all the logs exported to a folder monitored by Splunk forwarder, but I cannot force the sourcetypes to get mapped according to this article: http://docs.splunk.com/Documentation/AddOns/latest/Sophos/Configureinputs.

I have edited inputs.conf and transforms.conf but no luck till now. I get the sourcetypes of:
DefaultCommonEvents-2 7 46.667%

AppControl-too_small 5 33.333%

DefaultThreats-2 2 13.333%

ThreatInstances-too_small 1 6.667%

My inputs.conf:

[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ThreatInstances.log]
disabled = 0
sourcetype=sophos:threats

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\Firewall.txt]
disabled = 0
sourcetype=sophos:firewall

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DeviceControl.txt]
disabled = 0
sourcetype=sophos:devicecontrol

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DataControl.txt]
disabled = 0
sourcetype=sophos:datacontrol

[monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata

And props.conf:

[host::uni-sepm-01]
TRANSFORMS-force_sourcetype = all_sourcetype_sec

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\ThreatInstances.log]
TRANSFORMS-force_sourcetype = all_sourcetype_sec

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\WebData.log]
sourcetype = sophos:webdata

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\Firewall.txt]
sourcetype = sophos:firewall

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\AppControl.log]
sourcetype = sophos:appcontrol

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DeviceControl.txt]
sourcetype = sophos:devicecontrol

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\TamperProtection.log]
sourcetype = sophos:tamperprotection

[source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DataControl.txt]
sourcetype = sophos:datacontrol

[source::...ComputerData.sophos]
sourcetype = sophos:computerdata

And finally quoting relevant path of transforms.conf:

# Force all data to sourcetype, useful under a host:: stanza in props.conf
[all_sourcetype_sec]
DEST_KEY = MetaData:Sourcetype
REGEX = (.)
FORMAT = sourcetype::sophos:sec

Can anyone help?

Thanks in advance!

0 Karma

SplunkTrust
SplunkTrust

Some of your inputs are disabled, and old data isn't changeable. Enable the inputs and try again.

0 Karma

SplunkTrust
SplunkTrust

So you are getting new data after all? Good.

Where did you configure the props and transforms? It should live on the indexers and heavy forwarders, a universal forwarder won't apply these. Make sure to restart the instance after any changes.

0 Karma

Communicator

All of them are on the indexer, on the local folder of the Splunk_TA_sophos app.

0 Karma

SplunkTrust
SplunkTrust

Without new data you won't be able to see if your sourcetype configuration is working or not, only new data will use it.

0 Karma

Communicator

New data is being forwarded all the time, by the forwarder. But the sourcetypes do not change...

0 Karma

SplunkTrust
SplunkTrust

Is any new data coming in?

0 Karma

Communicator

Nothing new was indexed.

Forgot to mention that I have two sources for Sophos addon:
1. SYSLOG/UDP 514 for Sophos UTM appliances.
2. Sophos Enterprise Console with Splunk forwarder.

For the first I have set on props.conf:

[source::udp:514]
TRANSFORMS-force_sourcetype = force_sourcetype_for_utm_firewall,force_sourcetype_for_utm_ips,force_sourcetype_for_utm_ipsec, force_sourcetype_for_utm_httpproxy
0 Karma

Communicator

Enable everything in inputs.conf even I don't have such data?

0 Karma