In the docs for the Splunk_TA_sophos app there is reference to "sophos:sec" but the only reference I can find for this in the app is in the transforms or props file.
Can someone confirm its intended function? Is it for the syslog version of the logs? or UTM logs?
When I trace backwards from the Malware datamodel to see what it does; I get to eventtypes and it seems that sophos:sec is paired with most other input sourcetypes which makes me think it is the syslog version.
Anyone worked heavily with this app before?
Per http://docs.splunk.com/Documentation/AddOns/released/Sophos/DataTypes, it is one of the sourcetypes for the Sophos Endpoint Console Server logs and maps data for the Change Analysis, Malware, and Network Traffic CIM models.
Here's the instructions for how to configure the collection for these logs: http://docs.splunk.com/Documentation/AddOns/released/Sophos/Configureinputs#Sophos_Endpoint_Console_...
Thanks for the quick response, however per my question I have already read those links and they don't say much.
What is the source of sophos:sec data? there is no input and the transforms/props doesnt seem to match anything
If you take a look in the props.conf file, you will see there is a [sophos:sec] stanza, with field aliasing to CIM field names.
I collected the logs using the sourcetypes described in the TA's inputs.conf file, then sourcetype rename them at search time to the sophos:sec sourcetype. You only need to use sophos:sec if you want CIM compliant field names.
A comment transforms.conf
suggest using host matching to remap sourcetype, but that changes the sourcetypes of all events emitted from that host. So, suddenly your plain-vanilla Window sourcetypes disappear.
Instead, I've used the [(?::){0}sophos:*]
trick in props.conf
to get those CIM-compatible search-time aliases and lookups to fire.
My current problem with them is that they don't exactly match the output from Reporting Log Writer anymore. When I get the field mappings working again, I'll report back here.