All Apps and Add-ons

What is sophos:sec?

nickstone
Path Finder

In the docs for the Splunk_TA_sophos app there is reference to "sophos:sec" but the only reference I can find for this in the app is in the transforms or props file.

Can someone confirm its intended function? Is it for the syslog version of the logs? or UTM logs?

When I trace backwards from the Malware datamodel to see what it does; I get to eventtypes and it seems that sophos:sec is paired with most other input sourcetypes which makes me think it is the syslog version.

Anyone worked heavily with this app before?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Per http://docs.splunk.com/Documentation/AddOns/released/Sophos/DataTypes, it is one of the sourcetypes for the Sophos Endpoint Console Server logs and maps data for the Change Analysis, Malware, and Network Traffic CIM models.

Here's the instructions for how to configure the collection for these logs: http://docs.splunk.com/Documentation/AddOns/released/Sophos/Configureinputs#Sophos_Endpoint_Console_...

nickstone
Path Finder

Thanks for the quick response, however per my question I have already read those links and they don't say much.

What is the source of sophos:sec data? there is no input and the transforms/props doesnt seem to match anything

0 Karma

chaker
Path Finder

If you take a look in the props.conf file, you will see there is a [sophos:sec] stanza, with field aliasing to CIM field names.

I collected the logs using the sourcetypes described in the TA's inputs.conf file, then sourcetype rename them at search time to the sophos:sec sourcetype. You only need to use sophos:sec if you want CIM compliant field names.

0 Karma

chris_jepeway
New Member

A comment transforms.conf suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear.

Instead, I've used the [(?::){0}sophos:*] trick in props.conf to get those CIM-compatible search-time aliases and lookups to fire.

My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>