Reporting

used sophos reporting interface with Splunk

jraynor
Explorer

Hello everybody,

I'm new to this community and i have a question about Splunk and Sophos.
So, i have a project that consist at install softwares "Splunk", "Sophos Reporting Interface" and "Sophos Reporting Log Writer " to create custom reports.

I installed all softwares but now, i have to connect "sophos reporting interface" to "Splunk" and i don't know how to do this.

Can you help me ?

Thank.

rigor
Explorer

Following worked for me, installed LogWriter, let it run with account that has privileges to read SEC, the below config pulls some selected events from Sophos predefined views and exports it to a folder - which is configured as a CIFS share, from where it can be pulled by Splunk. I am not aware of Sophos being capable of sending a syslog - as one of the comments here mentions:

SophosLogWriterConfig.xml

<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="ADDtheURLfromManualHereIhavelowKarmaToAddLinks">
<connection>
<connectionString>
    Integrated Security=SSPI;
    Persist Security Info=False;
    Initial Catalog=SOPHOS52;
    Data Source=sophosHost.domain.suffix
</connectionString>
<commandTimeout>
    120
</commandTimeout>
</connection>
<noOfDays>10</noOfDays>
<lagTime>1</lagTime> 
<datafeeds>
 <!-- 1 feed per logfile-->
 <datafeed>
    <!-- Poll time in seconds  -->
    <tick> 60 </tick>
    <!-- prepend each line with a timestamp -->
    <applyLogFormat> 1 </applyLogFormat>
        <logFile logType="LogFile">
        <!-- Splunk to read only file that ends with a digit --> 
        <!-- Files without suffix will be a live write -->
        <!-- Splunk has to read the 1MB file before it rolls over -->
            <noOfBackupFiles> 1 </noOfBackupFiles>  
            <fileSize>1Mb</fileSize>
            <!-- this folder has to be available to Splunk for reading i.e. shared-->
            <outputLocation>C:\FolderNameForSophosLogs\</outputLocation>    
            <!-- a space before the name caused issue for me so leave none-->
            <outputFilename>sophosLogFile.log</outputFilename>        
        </logFile>
    <!-- several calls can be made per 1 log file, 1 per table -->
    <!-- each call needs a unique tracking ID-->
    <!-- THREATS -->
    <call callID="DefaultThreats">
        <!-- defined data source/table name -->
        <dataSource>ThreatEventData</dataSource>
        <!-- can specify exactly which fields to collect -->
        <dataConfigurationLocation>.\Configuration  Files</dataConfigurationLocation>       
        <!-- config for this call -->
        <dataConfigurationFile>Threats.config</dataConfigurationFile>   
    </call>

    <!-- THREAT INSTANCES --> 
    <call callID="DefaultInstances">
        <!-- defined data source/table name -->
        <dataSource>ThreatInstances</dataSource>
        <!-- can specify exactly which fields to collect -->
        <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>        
        <!-- config for this call -->
        <dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>   
    </call>

    <!-- FIREWALL EVENTS --> 
    <call callID="DefaultFirewallEvents">
        <!-- defined data source/table name -->
        <dataSource>EventsFirewallData</dataSource>
        <!-- can specify exactly which fields to collect -->
        <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>        
        <!-- config for this call -->
        <dataConfigurationFile>Firewall.config</dataConfigurationFile>  
    </call>

    <!-- STANDARD EVENTS --> 
    <call callID="DefaultCommonEvents">
        <!-- defined data source/table name -->
        <dataSource>EventsCommonData</dataSource>
        <!-- can specify exactly which fields to collect -->
        <dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>        
        <!-- config for this call -->
        <dataConfigurationFile>EventsCommon.config</dataConfigurationFile>  
    </call> </datafeed>
</datafeeds>
</SophosDatafeed>

michaelstanton
Explorer

I have an issue where all the threat logs are coming in with the exact same time stamp according to spunk like the "_time" value.

However there are different time stamps within the log like 'inserted time' etc.. that are correct.

This isn't happening for each type.

I'm using the recommendations from the add-on for the inputs.conf but that is configured on a splunk forwarder installed on the enterprise console.

0 Karma

rigor
Explorer

Michael I did not use the Sophos TA you mention, but you can configure Splunk to to pick up any timestamp from within the event (props.conf, TIME_PREFIX = ...) , for me the best was to have the _time to match the timestamp of when the event actually happened, not when it was written to the Sophos DB.

rgds

0 Karma

michaelstanton
Explorer

Thanks, yes that would solve it as well.

I figured out that the field actually represents different from UTC in seconds so I added 4 hours to that for EST.

0 Karma

ARothman
Path Finder

Note: This is assuming that your Splunk console is not on the same box as your Sophos Enterprise Console and also assuming that you have gone through and configured your Sophos database to send data to the SRI.

The account that is set as 'Log On As' for the SRI service absolutely must have rights to your Sophos database... I can't say for certain what the minimum permissions are, but obviously read is needed.

After you have installed SRI on your Sophos Enterprise Console, you'll need to edit your SophosLogWriterConfig.xml, default location: 32bit - "%programfiles%\Sophos\Reporting Interface" 64bit - "%programfiles(x86)%\Sophos\Reporting Interface" (Even though there is already an example file, I'd suggest backing up the original xml and editing a copy).

There are a few optional things you can modify in this xml (like noOfDays and tick), but to get things rolling, you must change the remoteAddress IP to your Splunk console's IP and make sure the remotePort is the one you set as the TCP data input in Splunk (if you didn't configure this, go into Manager > Data Inputs > Click on TCP > New > TCP > Port 514 > soure type = syslog > save).

Save these changes to the xml and restart the SRI service on your SEC. *.LAST files should start populating in the Reporting Interface folder. There is a log file that SRI creates when it comes to data transmission, but I'm having a hard time locating it.

Not long after that, depending on how frequent you set the tick counter to in the SophosLogWriterConfig.xml, you should be able to search for your raw Sophos data in Splunk. Good luck 🙂

0 Karma

smolls
New Member

Double checked the application eventlog:

The element 'logFile' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd' has invalid child element 'remoteAddress' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd'. List of possible elements expected: 'noOfBackupFiles, fileSize, outputLocation, outputFilename, logName' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd'.

0 Karma

smolls
New Member

Editing the SophosLogWriterConfig.xml sounds like a good idea and saves us from installing the splunk forwarder. I tried to insert the remoteAddress and remotePort tags, but whenever I add these i can't start the service anymore. Could you post an example file with these two values inserted?

Thank you very much and best regards,
Stefan

0 Karma

jraynor
Explorer

Thank you for responding so quickly 😄

I going see links that you posted.

0 Karma

Damien_Dallimor
Ultra Champion

Well , according to these docs , it looks like you configure the Sophos Reporting Log Writer to write Sophos event data to a log file.

So the next step is that you would setup Splunk to monitor this log file / directory of log files.

Have a read over this : http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

0 Karma

ARothman
Path Finder

@Ayn: There actually is, but the point is moot because it is not public and jraynor would probably need to ask ProServ for it (of course, I doubt they'll hand it out for free).

Though the Sophos document @damien-dallimore linked to is a good resource, it definitely doesn't provide full details.

Also, this is really more of a Sophos Reporting Interface question/answer and likely only somewhat related to Splunk, I'll try to provide some important steps that need to be performed in my answer below.

0 Karma

Ayn
Legend

What is it you're missing from the last answer? You won't get any complete solutions here, you will definitely have to roll up your sleeves and do some work yourself, learning more about Splunk in the process. There's no ready-made Sophos app for Splunk that I know of.

0 Karma

jraynor
Explorer

Hi,

So, I come back on this forum because I haven't resolv my problem 😞

I repost my question :

I have a project that consist at install softwares "Splunk", "Sophos Reporting Interface" and "Sophos Reporting Log Writer " to create custom reports.
I installed all softwares but now, i have to connect "sophos reporting interface" to "Splunk" and i don't know how to do this.

Can you help me ?

Thank you.

0 Karma

jraynor
Explorer

Thank you for responding so quickly 😄

I going see links that you posted.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!