AWS Sophos UTM 9 - How to Properly Send Logs to SIEM?

https://splunkbase.splunk.com/app/3280/  If you haven't already made a decision.

Thanks - I'm actually using Splunk and sending remote Syslogs from my Sophos UTMs to a TCP listener on my Splunk indexer. However, apparently Sophos uses a different format for SYSLOGs than the Splunk default SYSLOG format so I had to do some customizations. 

I didn't notice this Splunk app and it looks like you are the developer - cool stuff.

Apologies if I missed it but any guides on getting started?

I have installed the app but not seeing where to add my Sophos UTMs - I checked the Manage Apps section but didn't see anything to configure there.

I'm working on proper documentation, it's a work in progress.  For now, I use 192.168.1.230/231 as my primary and secondary UTMs, so you may have to alter the searches to use appropriate IPS as the host.  I also use 192.168.1.0/24 as my internal subnet, so you may need to change some of the network searches as well.  The easiest way to modify these is to go into each dashboard and edit panels -> edit source.  just change all of the <query></query> lines accordingly.   The next release should have tags instead of hard set subnets and IPs, I hope to get that done in a week or so.   I can webex tomorrow evening if you'd like help modifying the app.

I just use syslog out to a centos box running syslog-ng.  I then use this to capture the file:

destination d_sophosutm { file("/var/log/syslog-ng/sophosutm.log" template("$MSG\n")); };

Then I just tell splunk to monitor the file that is output by syslog-ng.  The key is the template portion above.

Hi

were you able to resolve the issue?  I am using "Remote Syslog Server" and pointing syslogs to Splunk but I do not see any logs coming in.  

I got my Sophos UTM 9s to send syslogs to Splunk (not using the above plugin however) but unfortunately, Sophos UTM provides no way to send syslog over TLS. I work in a heavy regulated space so I had to raise that issue as a risk. Not a super big deal since I wasn't sending logs over the public Internet but annoying nonetheless. 

Fortunately, Sophos has finally started making UTM more AWS "aware" - the newer appliances have the Cloudwatch agent installed so you can send logs to CloudWatch. Since AWS is getting much better at letting you work with logs I'm moving off of Splunk to save money and reduce complexity.

Anyway, if you go the Cloudwatch route make sure to use the HA Standalone version of the UTM appliance though, as the Standalone version does not have the Cloudwatch agent installed - at least back in Jan 2017.

Here is what the tab looks like:

Glad to hear that it's working for you at least.  I also work in a heavily regulated space and how they are doing HA will not work for us.   As you have mentioned, what steps did you take to get syslog from Sophos to Splunk?  

Hi BryanSchaefer,

I know this is quite old post but wondering if you ever got anywhere on developing the newer release. I've been a UTM user for a long time and now I'm adding in Splunk (which I'm a total novice). I struggled to find any app that would work with the UTM but yours has a great foundation. I've been going through updating the IPs to my network, my sourcetype had a different name, and it seems 'vendor_action' is no longer accurate and is 'action' now. Splunk is also showing deprecation on a lot of your lines but appears to still work. 

Anyway, I'm certainly not complaining but wondered if you had any updates, information to add, etc. Overall this is a huge step from just viewing raw syslog!

FWIW, I'm on the latest release of everything. UTM 9.503, Splunk 7.0.0, and your app release 1.5