List of possible log Events for SIEM integration

Have you tried extracting events with the API? I ask because I haven't had time to tinker with it yet. Details are in KB 125169.

Have you tried extracting events with the API? I ask because I haven't had time to tinker with it yet. Details are in KB 125169.

I have not. I use syslog to send events from Sophos to my SIEM, and it works fine. My problem was that my SIEM didn't have mappings from the event ID to anything useful (like the severity, type of event, description, etc.). This was just an extract from the database to allow me to populate the SIEM.

There's still work to do. My SIEM (Alienvault) has event types and severity, but of course they don't map one-to-one to those used by Sophos. But at least my SIEM reports now list the type of event that SOphos is seeing.

The context here was Sophos Central API and not firewall.  I am running the Sophos API script to pull endpoint events in CEF format.  This puts them in a flat file, that I use a SIEM agent to monitor and pull in new entries.  You can also forward them a syslog output, but I'm running a 15 minute task scheduler job on the Windows server that is doing my AD Sync as well.  You just have to install Python first, then you can configure and run the script.  Everything is located here:  https://community.sophos.com/kb/en-us/125169 

We're looking to do the same thing, we have the API script up and working and our SIEM is pulling in the data.  I need to define some processing policies now though to separate out the different events.  Is there any sort of documentation that outlines what the various fields are in the log file along with possible values so I can put them into some form of context?