All Apps and Add-ons

Does documentation exist for Sophos App & Add-on for Splunk?

salbro
Path Finder

I've been using the previous now deprecated Sophos App for Splunk and have seen the pages for the two new apps. Because the previous version only involved 1 app, it was easy to install and contained documentation for setup. Is there any additional complexity with the new apps? Where is the app and add-on supposed to be installed? Is there any documentation provided/setup?

Thanks in advance!

0 Karma

JScordo
Path Finder

The app should be configured on the Search head and the add-on, which will do your API calls for data inputs, could be on the search head as well unless you are using Splunk Cloud. Then you should have a separate box for the add-on, ideally a HF.

0 Karma

salbro
Path Finder

I'm not cloud, but i do run over 150 UF's with a deployment manager. I wasn't sure if I needed to install this on all my UF's (endpoints) or if this is unwarranted since its just querying Sophos for the info.

0 Karma

aoweneoecoop
Explorer

HI, We are in the same situation I have Sophos Central and i have installed the Addon app and the Sophos App and I have configured the Add on in the inputs with the API info is there any other settings I need to setup to get this to work?

0 Karma

JScordo
Path Finder

I dont believe so. You should be able to install it on your search head and configure the add-on/data inputs there (as long as you're not in a clustered search head env)

0 Karma

493669
Super Champion

In a distributed deployment, install the Splunk Add-on for Sophos to your search heads, indexers, and forwarders.
refer below document for detailed information on Splunk Add-on for Sophos-

http://docs.splunk.com/Documentation/AddOns/released/Sophos/Description
Go through all topics on left side like Overview, Installation and Configuration etc.

0 Karma

salbro
Path Finder

Thanks for the reply. Unfortunately, this is not the version I was asking about, so my apologies for not being clear. Below are the links for the app & add-on in question:

https://splunkbase.splunk.com/app/4096/
https://splunkbase.splunk.com/app/4097/

The deprecated version in question was: https://splunkbase.splunk.com/app/3612/

0 Karma

eegiievol
Explorer

Have you resolved the issue. I have configured inputs config and see nothing. I saw this error in log file:

HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Cannot call handler 'SophosAddOnForSplunk_sophos_central_events' due to missing script 'SophosAddOnForSplunk_rh_soph
os_central_events.py'."}]}

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!