Introducing the EAP release for our latest integration; Splunk for Sophos (XG) firewall.
Splunk provides an excellent compliment to Sophos Central cloud-based reporting for on-premise data storage, dashboarding and reporting of firewall log data.
*Note: This beta installer is provided to our partners and customers solely for the purpose of testing and feedback. Upon completion of the EAP phase, these installation files will be deleted from this location. The GA (Generally Available) installers will be made available for download free of charge from the Splunkbase marketplace upon announcement of official release.
This integration consists of 2 Splunk applications:
An overview of the dashboard Apps are provided below.
Threat Dashboard - Use this dashboard to understand threat trends and view threats by type, severity and Source IP over time
Firewall Overview - Quickly determine usage trends of your firewall device with widgets such as Interface Usage and Web Sessions over time.
Web - Provides a snapshot view of web trends and usage over time
Firewall Top 10 - See top trends across application and traffic usage
Traffic - Provides a deeper dive into traffic analysis and visualization
Users - View and filter user interactions by time, group, name and IP address
VPN - View VPN trends such as Usage Over Time, Connection Types, and Web Categories accessed via VPN
Google Chrome, Mozilla Firefox
CentOS, Ubuntu, Windows
Splunk Enterprise, Splunk Cloud
Splunk Enterprise Version
8.1.x, 8.0.x, 7.3.x
Splunk CIM Version
SFOS 18.0.1 MR-1-Build396 or later
Based on your Splunk deployment as determined from your capacity planning, follow the steps below to install the Splunk applications as either a Stand alone or Distributed instance.
If you are using “Distributed Splunk Deployment”, refer to the below tables to determine where to install your respective applications.
Sophos (XG) Firewall Add-on For Splunk
Splunk Instance Type
Heavy Forwarder/Universal Forwarder
The TA can either be installed on a heavy forwarder or universal forwarder.
Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.
Search Head/Search Head Cluster
Sophos App For Splunk
Once the installation of the Sophos (XG) Firewall Add-on For Splunk is done successfully, follow these steps to configure:
The Sophos (XG) Firewall Add-on For Splunk manages inputs through TCP or UDP inputs provided by Splunk. To configure inputs follow the respective instructions below
[SSL]requireClientCert = falserootCA = $SPLUNK_HOME/etc/auth/ca.pem # Location of root CAserverCert = $SPLUNK_HOME/etc/auth/server.pem # Location of server certificatepassword = <password of server.pem file> [tcp-ssl://10514] # tcp-ssl://<port number>index = main # index on which logs will be insertedsourcetype = sophos:xg:logs:secure # Do not change sourcetype
To use the CIM mapped fields, the user first needs to configure the event type to provide the index in which the data is being collected. To configure event type:
Once the installation of the Sophos App For Splunk is done successfully, follow below steps to configure:
The user needs to update the provided macro to use the index in which Sophos data is getting collected. To configure macro:
Please see this post for a detailed table of how the data collected from the Sophos (XG) Firewall maps to the Network Traffic Common Information Data Model from Splunk.
Sophos Dashboard App For Splunk provides 7 dashboards and several visualizations to provide user insights into the data collected from the Sophos (XG) Firewall platform. The linked post provides a table mapping of panel visualization names to source types found in each dashboard.
Currently the following three event log types are not supported in the ingestor APP (TA)
Support for this application while in Early Access will be provided via the Feedback forum associated with this Wiki. Please use an existing post if your issue has already been reported, or create a new post for each new issue you wish to report.