Hi All, We got our Splunk deployment done from a 3rd party, which has completed the deployment and left already. Suddenly, Sophos central logs have stopped coming to splunk, for last 3 months. I have checked the API keys at sophos, they are still valid. (The logs are integrated through sophos API). I have the following questions, if somebody can help me with these 1- Where to check in splunk, the configuration done to read the sophos logs? I can't even find out where the splunk side settings are done to capture these logs. 2- How to troubleshoot this issue? Thanks.
... View more
Hi, Although I dont have answer to your question, but I guess you can help me with my question. Can you list the steps to do the following for me please 1- Configure Cisco ESA to send logs to Heavy Forwarder 2- Splunk side configuration (Especially capturing all the sourcetypes correctly i.e. , authentication, textmail, http etc.) Our design is, that all endpoints send logs to heavy forwarder, we use syslog-ng. Add-ons are pushed by deployment servers to Heavy forwarders. All logs are then sent from Heavy forwarders to indexers using Universal Forwarders. The problem in this setup is, that, at the Heavy Forwarder level, we can assign only one sourcetype to all the logs coming for a single endpoint. In case of ESA, we are getting multiple sourcetypes from the same end points. I hope you can help me with that as you have already got it configured. Thanks.
... View more