Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Splunk Inc. is a market leader in analyzing machine-generated big data to deliver operational intelligence for business, security and IT. Splunk software captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations that drives digital transformation.
This article describes the steps to integrate Sophos XG Firewall with splunk. This scenario has been tested and validated using Sophos XG Firewall v17.5 MR5 and Splunk Enterprise 7.3.0 installed on Windows Server 2012 R2.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Please refer to Installing Splunk Enterprise on Windows video, from splunk official website, for detailed instructions. For installation on other platforms among other splunk training video, refer to All Splunk Videos.
Once successfully installed, search for splunk Enterprise and click to open it.
Sign in with the administrator's credentials configured earlier during the installation.
Go to Settings > Data inputs.
In the Local inputs section, scroll down to UDP and click + Add new.
Select UDP, enter the syslog port number (port 514 by default) and optionally set the XG Firewall's IP address in the Only accept connection from field and click Next.
In the Input Settings page, click New.
Set the Source Type to XG_log and the Source Type Category to Custom then click Review.
Review the settings and click Submit.
The splunk configuration is now complete, you need to configure the XG Firewall in order to start searching and analyzing data.
Go to System Services > Log Settings and click Add to set the splunk server.
Fill all fields and save.
Now in the Log Settings, you should have a column labeled splunk, check the event types you would like to send to splunk server and click Apply.
Go to splunk web interface to select Apps > Search & Reporting.
XG's generated log events should be indexed in splunk as shown below. Click on Data Summary.
Then click on the host (the XG) IP address.
Detailed log events should be seen here for more analysis.
Read more about splunk in:
Note: A Splunk Technical Add-on (TA) to map to the Splunk CIM is currently not available. Any enterprising Splunk admin can create their own TA by following Splunk Add-on Builder User Guide.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.