- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: What app is this TA for?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What app is this TA for?
I downloaded this TA app and it is setting source type for Sophos. But what splunk app uses those source types that I should also download?
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
From the documentation, I see that the TA is a standalone app that can be used with the Sophos UTM App for Splunk and the CIM (Common Information Model) to then report upon.
Does this help?
Kindest regards,
BlueSocket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. This is one of those times where different people have created apps for the same thing and its difficult to figure out which is the right one to use.
There are a few Sophos apps, But the three I'm looking at seem to all be separate with no relation. Hence my question.
Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) is a TA that simply takes in syslog and changes the sourcetype. But does nothing more than that. Does not set any extracts or key value pairs. So it looks like it is to be used with another app, but does not document which one.
TA for Sophos UTM (https://splunkbase.splunk.com/app/3341) is a TA that does a bit more, sets sourcetype, some key value pairs, CIM tags etc.. This hints that then it would work with Splunk Security app ($$), but again does not directly state which one.
Splunk for SophosUTM (https://splunkbase.splunk.com/app/3280/) Is it's own app, searches, dashboards, but it's source type transform seemed very simple and I thus wasn't sure if it needed a TA.
All of these do not seem to be related, at least directly.
I was hoping the author of this app (Sophos UTM Syslog App) would be able to shed some light to what his plans where. 🙂
At the end of the day, I have both XG firewalls and UTM firewalls sending syslog to splunk. I'm trying to find a good TA or app to parse the data so it is usable etc..
I may just need to load each and play around with them.
thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The Splunkbase is a great place to get something that will work, but it is often the case that the use case that the author is creating for is different to that that the downloader is expecting, so sucking and seeing is often the approach that is required.
Yes, that is what I would do, however, to make sure that you don't roast your system, I would suggest using a dev environment and set up one and see what it does.
I would be really interested to know how you get on.
Blessings,
BlueSocket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used this TA (Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) ) as it seemed to have the best transforms for the firewall types. But I had to heavily modify it also. I remove the index references, I updated props.conf as it referred to stanzas that did not exist in transforms.conf. But it is correctly finding my sophos UTM and XG firewall syslog data.
I'll have to build my own searches and dashboards however.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
