We recently deployed a SIEM solution and I'm having issues getting our Sophos data to import into the SIEM service.
I have added the SIEM's network login account as a member of the Sophos DB Admins group on the Sophos server in an attempt to give it direct access to the database without any luck. Sophos's documentation states I need to use Reporting Interface and/or Log Writer, but I cannot find an actual how-to on downloading, installing, or setting up either of those services.
I can only find this link for Reporting Interface (https://www.sophos.com/en-us/support/documentation/reporting-interface.aspx#), but neither document tells HOW to set it up. I tried to follow the Log Writer help document (https://www.sophos.com/en-us/support/documentation/reporting-log-writer.aspx), but it appears to be outdated or not relevant to me because I cannot find the "Console downloads" section it refers to.
Any guidance would be greatly appreciated.
Hello Andrew LaFavers,
it's the SOPHOS552 database.
As for what you see - the LogWriter is in the same place as SEC, if you click Endpoint and Server Protection it should your license and Download…
the Sophos Reporting Interface is a schema in the SOPHOS552 database that provides a bunch of views for direct access to the database. Since SEC51 it's installed along with the Console. Your SIEM's documentation should tell you how to access a database and a certain schema contained therein. Is remote access (I assume your SIEM runs on its own server) enabled in your SOPHOS database instance?
You should find the Reporting Log Writer here.
Remote access is turned on. Do I need to point the SIEM to the SOPHOS552 database, or the SophosSecurity database?
I don't see an option for Log Writer in the link you provided. The picture below shows my only options.
As for what you see - the LogWriter is in the same place as SEC, if you click Endpoint and Server Protection it should your license and Download and Updates on the left. LogWriter is under Console directly below SEC.
Pointing the SIEM to the SOPHOS552 database worked! Thank you for your help.