Thank you for your response. This is one of those times where different people have created apps for the same thing and its difficult to figure out which is the right one to use.
There are a few Sophos apps, But the three I'm looking at seem to all be separate with no relation. Hence my question.
Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) is a TA that simply takes in syslog and changes the sourcetype. But does nothing more than that. Does not set any extracts or key value pairs. So it looks like it is to be used with another app, but does not document which one.
TA for Sophos UTM (https://splunkbase.splunk.com/app/3341) is a TA that does a bit more, sets sourcetype, some key value pairs, CIM tags etc.. This hints that then it would work with Splunk Security app ($$), but again does not directly state which one.
Splunk for SophosUTM (https://splunkbase.splunk.com/app/3280/) Is it's own app, searches, dashboards, but it's source type transform seemed very simple and I thus wasn't sure if it needed a TA.
All of these do not seem to be related, at least directly.
I was hoping the author of this app (Sophos UTM Syslog App) would be able to shed some light to what his plans where. 🙂
At the end of the day, I have both XG firewalls and UTM firewalls sending syslog to splunk. I'm trying to find a good TA or app to parse the data so it is usable etc..
I may just need to load each and play around with them.
... View more