Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise Security
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Sophos Reporting Interface and choosing the correc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-23-2018
03:33 AM
Hi All
I am currently gathering logs from Sophos Enterprise Console 5.1 using the Sophos Reporting Log Writer.
I have installed Splunk_TA_sophos on the Universal Forwarder and Indexer.
Sophos is collecting 2 types logs - DefaultCommonEvents and DefaultThreats
Based on these types of logs, what are the appropriate sourcetypes that I should apply?
This is from SophosLogWriterConfig file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
This is from default inputs.conf file
[WinEventLog://Sophos Patch]
disabled = 1
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://<SEC_LOG_PATH>\Threats.log]
disabled = 1
sourcetype=sophos:threats
[monitor://<SEC_LOG_PATH>\WebData.log]
disabled = 1
sourcetype=sophos:webdata
[monitor://<SEC_LOG_PATH>\Firewall*.txt]
disabled = 1
sourcetype=sophos:firewall
[monitor://<SEC_LOG_PATH>\AppControl.log]
disabled = 1
sourcetype=sophos:AppControl
[monitor://<SEC_LOG_PATH>\DeviceControl.txt]
disabled = 1
sourcetype=sophos:devicecontrol
[monitor://<SEC_LOG_PATH>\TamperProtection.log]
disabled = 1
sourcetype=sophos:tamperprotection
[monitor://<SEC_LOG_PATH>\DataControl.txt]
disabled = 1
sourcetype=sophos:datacontrol
[monitor://<SEC_LOG_PATH>\ComputerData.log]
disabled = 1
sourcetype=sophos:computerdata
Could someone advise which sourcetypes are most appropriate for DefaultCommonEvents and DefaultThreats
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-26-2018
09:23 AM
After a bit of experimentation, I believe the following should be correct...
The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.
Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.
Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)
sophos:sec (maps to Change Analysis, Malware, Network Traffic)
Complete Inputs.conf located on the Universal Forwarder
[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats
[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall
[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata
Complete SophosLogWriterConfig.config file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>AppControl.log</outputFilename>
</logFile>
<call callID="ApplicationControl">
<dataSource>EventsApplicationControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DataControl.log</outputFilename>
</logFile>
<call callID="DataControl">
<dataSource>EventsDataControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DataControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DeviceControl.log</outputFilename>
</logFile>
<call callID="DeviceControl">
<dataSource>EventsDeviceControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>Firewall.log</outputFilename>
</logFile>
<call callID="Firewall">
<dataSource>EventsFirewallData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Firewall.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>TamperProtection.log</outputFilename>
</logFile>
<call callID="TamperProtection">
<dataSource>EventsTamperProtectionData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>WebData.log</outputFilename>
</logFile>
<call callID="WebData">
<dataSource>EventsWebData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Web.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>ComputerData.log</outputFilename>
</logFile>
<call callID="ThreatInstances">
<dataSource>ThreatInstances</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-26-2018
09:23 AM
After a bit of experimentation, I believe the following should be correct...
The default config for Sophos Log Writer includes EventsCommonData which does not map to any Splunk_TA_sophos CIM models. For this reason I created a new Sophos event-type.
Similarly, the Splunk_TA_sophos eventtype sophos:sec does not map to any Sophos Log Writer data sources.
Sophos LogWiter data sources -> Splunk_TA_sophos sourcetypes
EventsApplicationControlData -> sophos:AppControl
EventsCommonData -> sophoscommonevents
EventsDataControlData -> sophos:datacontrol
EventsDeviceControlData -> sophos:devicecontrol
EventsFirewallData -> sophos:firewall (maps to Network Traffic)
EventsTamperProtectionData -> sophos:tamperprotection (maps to Change Analysis)
EventsWebData -> sophos:webdata
ThreatEventData -> sophos:threats
ThreatInstances -> sophos:computerdata (maps to Malware)
sophos:sec (maps to Change Analysis, Malware, Network Traffic)
Complete Inputs.conf located on the Universal Forwarder
[WinEventLog://Sophos Patch]
disabled = 0
checkpointInterval = 5
current_only = 0
start_from = oldest
sourcetype=WinEventLog:SophosPatch
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultCommonEvents.log]
disabled = 0
sourcetype=sophos:commonevents
[monitor://path\to\Sophos\Reporting Interface\Log Files\DefaultThreats.log]
disabled = 0
sourcetype=sophos:threats
[monitor://path\to\Sophos\Reporting Interface\Log Files\WebData.log]
disabled = 0
sourcetype=sophos:webdata
[monitor://path\to\Sophos\Reporting Interface\Log Files\Firewall.log]
disabled = 0
sourcetype=sophos:firewall
[monitor://path\to\Sophos\Reporting Interface\Log Files\AppControl.log]
disabled = 0
sourcetype=sophos:AppControl
[monitor://path\to\Sophos\Reporting Interface\Log Files\DeviceControl.log]
disabled = 0
sourcetype=sophos:devicecontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\TamperProtection.log]
disabled = 0
sourcetype=sophos:tamperprotection
[monitor://path\to\Sophos\Reporting Interface\Log Files\DataControl.log]
disabled = 0
sourcetype=sophos:datacontrol
[monitor://path\to\Sophos\Reporting Interface\Log Files\ComputerData.log]
disabled = 0
sourcetype=sophos:computerdata
Complete SophosLogWriterConfig.config file
<?xml version="1.0" encoding="utf-8" ?>
<SophosDatafeed xmlns="http://www.sophos.com/msys/LogWriterConfig.xsd">
<connection>
<!--<connectionString>Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SOPHOS[SECVersion];Data Source=[SERVER]\[INSTANCE]</connectionString>-->
</connection>
<noOfDays>7</noOfDays>
<lagTime>1</lagTime>
<datafeeds>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultCommonEvents.log</outputFilename>
</logFile>
<logFile logType="WindowsLog">
<logName>DefaultCommonEvents</logName>
</logFile>
<call callID="DefaultCommonEvents">
<dataSource>EventsCommonData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>EventsCommon.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DefaultThreats.log</outputFilename>
</logFile>
<call callID="DefaultThreats">
<dataSource>ThreatEventData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Threats.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>AppControl.log</outputFilename>
</logFile>
<call callID="ApplicationControl">
<dataSource>EventsApplicationControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ApplicationControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DataControl.log</outputFilename>
</logFile>
<call callID="DataControl">
<dataSource>EventsDataControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DataControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>DeviceControl.log</outputFilename>
</logFile>
<call callID="DeviceControl">
<dataSource>EventsDeviceControlData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>DeviceControl.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>Firewall.log</outputFilename>
</logFile>
<call callID="Firewall">
<dataSource>EventsFirewallData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Firewall.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>TamperProtection.log</outputFilename>
</logFile>
<call callID="TamperProtection">
<dataSource>EventsTamperProtectionData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>TamperProtection.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>WebData.log</outputFilename>
</logFile>
<call callID="WebData">
<dataSource>EventsWebData</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>Web.config</dataConfigurationFile>
</call>
</datafeed>
<datafeed>
<tick>1000</tick>
<logFile logType="LogFile">
<noOfBackupFiles>5</noOfBackupFiles>
<fileSize>1MB</fileSize>
<outputLocation>.\Log Files</outputLocation>
<outputFilename>ComputerData.log</outputFilename>
</logFile>
<call callID="ThreatInstances">
<dataSource>ThreatInstances</dataSource>
<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>
<dataConfigurationFile>ThreatInstances.config</dataConfigurationFile>
</call>
</datafeed>
</datafeeds>
</SophosDatafeed>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lakshman239
Influencer
01-24-2018
04:06 AM
Hope you have seen these docs. http://downloads.sophos.com/readmes/srlw_51_rneng.html and http://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise . If you have pulled the files to the server where Splunk UF and TA is installed, I would configure the local/inputs.conf with all the above enabled and point to your files as appropriate in dev and and adjust/change as needed. we generally look at threat data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidmonaghan
Explorer
01-24-2018
05:20 AM
Hi @lakshman239, thanks for your reply.
I have followed the instructions in both the linked documents.
What is not clear to me is how LogWiter data sources match to the Splunk_TA_sophos sourcetypes
Based on the below data I'd assume that DefaultThreats maps to sophos:threats but I have no idea what would be appropriate for DefaultCommonEvents
Sophos LogWiter data sources
A. EventsApplicationControlData
B. EventsCommonData
C. EventsDataControlData
D. EventsDeviceControlData (added new data fields)
E. EventsFirewallData
F. EventsTamperProtectionData
G. EventsWebData (added new data fields)
H. ThreatEventData
I. ThreatInstances
Splunk_TA_sophos sourcetypes
A. sophos:sec (maps to Change Analysis, Malware, Network Traffic)
B. sophos:threats
C. sophos:webdata
D. sophos:firewall (maps to Network Traffic)
E. sophos:AppControl
F. sophos:devicecontrol
G. sophos:tamperprotection (maps to Change Analysis)
H. sophos:datacontrol
I. sophos:computerdata (maps to Malware)
Get Updates on the Splunk Community!
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
