Sumo Logic does not currently provide an out of the box source to collect logs from Sophos, however, Sophos provides a script (linked below) that can be used to integrate with different SIEM providers.
https://github.com/sophos/Sophos-Central-SIEM-Integration
The script provided by Sophos will call the Sophos API and can send the output to either a file or to stdout. Using this script along with a Script Source on an installed Collector we are able to send the results to Sumo Logic.
Note: It is suggested to run the Sophos script manually first time before configuring your Script Source to understand the format of the messages that Sophos provides. This may be needed to properly configure the multi-line and timestamp parsing options on the Source.
1.) Download the script provided by Sophos
https://github.com/sophos/Sophos-Central-SIEM-Integration
2.) Open config.ini in a text editor.
3.) Under 'API Access URL + Headers' in the config file, copy and paste the API Access URL + Headers block from the Api Token Management page in Sophos Central
4.) Under json, cef or keyvalue, you could choose the preferred output of the response i.e. json, cef or keyvalue. We most likely want to set this to use JSON
5.) Under filename, you can specify the filename that your output would be saved to. Options are syslog, stdout or any custom file name. For our case we would want to use stdout.
Note: If you go with custom file, then the sophos logs will be saved into that custom file and you need to create an additional source LOCAL FILE SOURCE to ingest those logs into Sumo Logic.
6.) Download and install a Collector on the same host as the script.
7.a) Create a Script Source on that Collector, which points to the "siem.py" script provided by Sophos.
a.) Set the "Frequency" to "Every 15 minutes"
b.) Set the "Command" to /usr/bin/python"
c.) Enter the path and name of the Sophos script in the "Type a path to the script to execute." box.
OR
7.b) Create a Script Source on that Collector, which points to the "siem.py" script provided by Sophos.
a.) Set the "Frequency" to "Every 15 minutes"
b.) Set the "Command" to /bin/sh"
c.) Enter the command and path/name of the Sophos script in the " Type the script to execute." box.
Ex: "python /path/to/siem.py"
8.) Configure the multi-line and timestamp parsing options according to the output generated by the script.
9.) Save the Source, wait 10 minutes and then review Sumo Logic to ensure logs are being received.
If there are no logs being received you may need to look at the collector.log file of the Collector to make sure there are no errors attempting to run the script.
Comments
0 comments
Please sign in to leave a comment.