Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 8 subscribers
  • Views 36243 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS Sophos UTM 9 - How to Properly Send Logs to SIEM?

c53f35a0

I understand that Sophos UTM 9 can send logs via syslog or snmp. I'm looking to setup external logging; high level idea in image below.

Currently I'm looking at either Splunk or ELK (Elasticache + LogStash + Kibana). Note that I cannot use a managed logging solution like Loggly or Sumo Logic.

The Splunk Add-on for Splunk doesn't seem like what I need and I'm not finding much documentation on how to properly export logs to a SIEM. I write properly because logging isn't as easy as it sounds; for example you shouldn't send syslogs straight to the syslog collector because of the collector is rebooted logs could disappear.

Sophos support told me that SNMP is the best way to export logs but again, I cannot find any examples with popular SIEMs to implement.

I also looked at the SUM to manage both Sophos UTM 9s but I didn't like the interface and the SUM doesn't do as much "centralized management" as I was hoping.

What is the community doing for centralized logging and if possible could you share config steps?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LeoKim

    I got my Sophos UTM 9s to send syslogs to Splunk (not using the above plugin however) but unfortunately, Sophos UTM provides no way to send syslog over TLS. I work in a heavy regulated space so I had to raise that issue as a risk. Not a super big deal since I wasn't sending logs over the public Internet but annoying nonetheless. 

    Fortunately, Sophos has finally started making UTM more AWS "aware" - the newer appliances have the Cloudwatch agent installed so you can send logs to CloudWatch. Since AWS is getting much better at letting you work with logs I'm moving off of Splunk to save money and reduce complexity.

    Anyway, if you go the Cloudwatch route make sure to use the HA Standalone version of the UTM appliance though, as the Standalone version does not have the Cloudwatch agent installed - at least back in Jan 2017.

    Here is what the tab looks like:

     

  • 0 in reply to c53f35a0

    Glad to hear that it's working for you at least.  I also work in a heavily regulated space and how they are doing HA will not work for us.   As you have mentioned, what steps did you take to get syslog from Sophos to Splunk?  

Unfiltered HTML