Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sophos Central SC4S

Shaun-Crouch
Observer
‎05-25-2021 01:19 AM

Hi,

I am currently working on getting our Sophos Central Cloud logs into SPLUNK. I have the 1st step out of the way in that I have the logs being ingested fine. I am however having some difficulty in getting them into the correct index.

Following the documentation here: Configuration - Splunk Connect for Syslog (splunk-connect-for-syslog.readthedocs.io) I am planning to add the following to to the splunk_metadata.csv:

sophos_sophos central_Event::Endpoint::UpdateSuccess,sourcetype,sophos:endpoint:update:cef,index,sophos


sophos_sophos central_Event::Endpoint::WebControlViolation,sourcetype,sophos:endpoint:update:cef,index,sophos

Based off the following 2 examples, do these appear correct?

splunk1.JPG

splunk2.JPG

 

Many thanks

Shaun

Labels (4)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...