Sophos Central customers have reported issues preventing successful installation, live terminal and device list access issues in the EU-CENTRAL-1 region For more info refer to KBA-000041338 for the latest updates.

Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG elasticsearch filebeat module not importing fields

Samy Wee

www.elastic.co/.../filebeat-module-sophos.html

I am trying to use the sophos module that you seems to have contributed in elk stack. I followed the documentation at www.elastic.co/.../filebeat-module-sophos.html and was able to get the data into ES. issue is I cannot see the fields in the message. All data is inside a field called message.

In high level I am using Filebeat Sophos-xg module, logstash and ES. I did enable sophos module, uploaded the template with command "filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601" and I am getting the data, without data being split into fields. I am not an ELK expert, but only reason why I am using is to view my SophosXG. Where things can go wrong? Any troubleshooting steps please?

 Seems to be the contributor to this module. Can you are anyone else help?



This thread was automatically locked due to age.
  • 0

    I found answer by posting in elastic search community. It is working without logstash, if required to use logstash, follow the solution given in this thread. 

    https://discuss.elastic.co/t/es-7-15-filebeats-sophos-xg-module-not-separating-data-into-variables/288577

    Now I get the data into elastic stack with separated fields. 

    If anyone want a tutorial on what I did to get to this stage ; here is what I followed, hope it helps ; 

    Followed this to install ELK on Ubuntu ; 

    https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-18-04

    After it is working ; modify configuration Filebeat to directly send output to Elasticstack ; 

    /etc/filebeat/filebeat.yml - enable following output and disable logstash output 

    output.elasticsearch:

      hosts: ["localhost:9200"]

    ENABLE SOPHOS MODULE : filebeat modules enable sophos

    EDIT : /etc/filebeat/modules.d/sophos.yml file and configure for sophos - xg

    In sophos-xg configure to send logs syslog to port 9005 / udp / "Central Reporting Format"

    Restart filebeat ; no longer need logstash - so probably can stop logstash. Need ElasticSearch / Kibana / Filebeat services running; 

    That should be it. 

    (Note : I did not get any dashboards with the modules.)

    • 0 in reply to Samy Wee

      I think you have written this filebeat-sophos module. I do not see fields are getting ingested as numeric for fields like bytes_sent, instead they are string fields. How to trouble-shoot. I am using ES 7.15.1 and Sophos 18.5.1. If you can give some guidance please.