All Apps and Add-ons

What app is this TA for?

pbalsley
Path Finder

I downloaded this TA app and it is setting source type for Sophos. But what splunk app uses those source types that I should also download?

thanks,

0 Karma

BlueSocket
Communicator

Hi,

From the documentation, I see that the TA is a standalone app that can be used with the Sophos UTM App for Splunk and the CIM (Common Information Model) to then report upon.

Does this help?

Kindest regards,

BlueSocket

0 Karma

pbalsley
Path Finder

Thank you for your response. This is one of those times where different people have created apps for the same thing and its difficult to figure out which is the right one to use.

There are a few Sophos apps, But the three I'm looking at seem to all be separate with no relation. Hence my question.

Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) is a TA that simply takes in syslog and changes the sourcetype. But does nothing more than that. Does not set any extracts or key value pairs. So it looks like it is to be used with another app, but does not document which one.

TA for Sophos UTM (https://splunkbase.splunk.com/app/3341) is a TA that does a bit more, sets sourcetype, some key value pairs, CIM tags etc.. This hints that then it would work with Splunk Security app ($$), but again does not directly state which one.

Splunk for SophosUTM (https://splunkbase.splunk.com/app/3280/) Is it's own app, searches, dashboards, but it's source type transform seemed very simple and I thus wasn't sure if it needed a TA.

All of these do not seem to be related, at least directly.

I was hoping the author of this app (Sophos UTM Syslog App) would be able to shed some light to what his plans where. 🙂

At the end of the day, I have both XG firewalls and UTM firewalls sending syslog to splunk. I'm trying to find a good TA or app to parse the data so it is usable etc..

I may just need to load each and play around with them.

thanks!

0 Karma

BlueSocket
Communicator

Hi,

The Splunkbase is a great place to get something that will work, but it is often the case that the use case that the author is creating for is different to that that the downloader is expecting, so sucking and seeing is often the approach that is required.

Yes, that is what I would do, however, to make sure that you don't roast your system, I would suggest using a dev environment and set up one and see what it does.

I would be really interested to know how you get on.

Blessings,

BlueSocket

0 Karma

pbalsley
Path Finder

I used this TA (Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) ) as it seemed to have the best transforms for the firewall types. But I had to heavily modify it also. I remove the index references, I updated props.conf as it referred to stanzas that did not exist in transforms.conf. But it is correctly finding my sophos UTM and XG firewall syslog data.

I'll have to build my own searches and dashboards however.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>