Reporting
Highlighted

used sophos reporting interface with Splunk

Explorer

Hello everybody,

I'm new to this community and i have a question about Splunk and Sophos.
So, i have a project that consist at install softwares "Splunk", "Sophos Reporting Interface" and "Sophos Reporting Log Writer " to create custom reports.

I installed all softwares but now, i have to connect "sophos reporting interface" to "Splunk" and i don't know how to do this.

Can you help me ?

Thank.

Highlighted

Re: used sophos reporting interface with Splunk

Ultra Champion

Well , according to these docs , it looks like you configure the Sophos Reporting Log Writer to write Sophos event data to a log file.

So the next step is that you would setup Splunk to monitor this log file / directory of log files.

Have a read over this : http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Explorer

Thank you for responding so quickly 😄

I going see links that you posted.

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Explorer

Hi,

So, I come back on this forum because I haven't resolv my problem 😞

I repost my question :

I have a project that consist at install softwares "Splunk", "Sophos Reporting Interface" and "Sophos Reporting Log Writer " to create custom reports.
I installed all softwares but now, i have to connect "sophos reporting interface" to "Splunk" and i don't know how to do this.

Can you help me ?

Thank you.

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Legend

What is it you're missing from the last answer? You won't get any complete solutions here, you will definitely have to roll up your sleeves and do some work yourself, learning more about Splunk in the process. There's no ready-made Sophos app for Splunk that I know of.

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Path Finder

@Ayn: There actually is, but the point is moot because it is not public and jraynor would probably need to ask ProServ for it (of course, I doubt they'll hand it out for free).

Though the Sophos document @damien-dallimore linked to is a good resource, it definitely doesn't provide full details.

Also, this is really more of a Sophos Reporting Interface question/answer and likely only somewhat related to Splunk, I'll try to provide some important steps that need to be performed in my answer below.

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Explorer

Thank you for responding so quickly 😄

I going see links that you posted.

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

Path Finder

Note: This is assuming that your Splunk console is not on the same box as your Sophos Enterprise Console and also assuming that you have gone through and configured your Sophos database to send data to the SRI.

The account that is set as 'Log On As' for the SRI service absolutely must have rights to your Sophos database... I can't say for certain what the minimum permissions are, but obviously read is needed.

After you have installed SRI on your Sophos Enterprise Console, you'll need to edit your SophosLogWriterConfig.xml, default location: 32bit - "%programfiles%\Sophos\Reporting Interface" 64bit - "%programfiles(x86)%\Sophos\Reporting Interface" (Even though there is already an example file, I'd suggest backing up the original xml and editing a copy).

There are a few optional things you can modify in this xml (like noOfDays and tick), but to get things rolling, you must change the remoteAddress IP to your Splunk console's IP and make sure the remotePort is the one you set as the TCP data input in Splunk (if you didn't configure this, go into Manager > Data Inputs > Click on TCP > New > TCP > Port 514 > soure type = syslog > save).

Save these changes to the xml and restart the SRI service on your SEC. *.LAST files should start populating in the Reporting Interface folder. There is a log file that SRI creates when it comes to data transmission, but I'm having a hard time locating it.

Not long after that, depending on how frequent you set the tick counter to in the SophosLogWriterConfig.xml, you should be able to search for your raw Sophos data in Splunk. Good luck 🙂

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

New Member

Editing the SophosLogWriterConfig.xml sounds like a good idea and saves us from installing the splunk forwarder. I tried to insert the remoteAddress and remotePort tags, but whenever I add these i can't start the service anymore. Could you post an example file with these two values inserted?

Thank you very much and best regards,
Stefan

0 Karma
Highlighted

Re: used sophos reporting interface with Splunk

New Member

Double checked the application eventlog:

The element 'logFile' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd' has invalid child element 'remoteAddress' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd'. List of possible elements expected: 'noOfBackupFiles, fileSize, outputLocation, outputFilename, logName' in namespace 'http://www.sophos.com/msys/LogWriterConfig.xsd'.

0 Karma