This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS Sophos UTM 9 - How to Properly Send Logs to SIEM?

I understand that Sophos UTM 9 can send logs via syslog or snmp. I'm looking to setup external logging; high level idea in image below.

Currently I'm looking at either Splunk or ELK (Elasticache + LogStash + Kibana). Note that I cannot use a managed logging solution like Loggly or Sumo Logic.

The Splunk Add-on for Splunk doesn't seem like what I need and I'm not finding much documentation on how to properly export logs to a SIEM. I write properly because logging isn't as easy as it sounds; for example you shouldn't send syslogs straight to the syslog collector because of the collector is rebooted logs could disappear.

Sophos support told me that SNMP is the best way to export logs but again, I cannot find any examples with popular SIEMs to implement.

I also looked at the SUM to manage both Sophos UTM 9s but I didn't like the interface and the SUM doesn't do as much "centralized management" as I was hoping.

What is the community doing for centralized logging and if possible could you share config steps?



This thread was automatically locked due to age.
Parents
  • Thanks - I'm actually using Splunk and sending remote Syslogs from my Sophos UTMs to a TCP listener on my Splunk indexer. However, apparently Sophos uses a different format for SYSLOGs than the Splunk default SYSLOG format so I had to do some customizations. 

    I didn't notice this Splunk app and it looks like you are the developer - cool stuff.

    Apologies if I missed it but any guides on getting started?

    I have installed the app but not seeing where to add my Sophos UTMs - I checked the Manage Apps section but didn't see anything to configure there.

  • I'm working on proper documentation, it's a work in progress.  For now, I use 192.168.1.230/231 as my primary and secondary UTMs, so you may have to alter the searches to use appropriate IPS as the host.  I also use 192.168.1.0/24 as my internal subnet, so you may need to change some of the network searches as well.  The easiest way to modify these is to go into each dashboard and edit panels -> edit source.  just change all of the <query></query> lines accordingly.   The next release should have tags instead of hard set subnets and IPs, I hope to get that done in a week or so.   I can webex tomorrow evening if you'd like help modifying the app.

  • Hi BryanSchaefer,

     

    I know this is quite old post but wondering if you ever got anywhere on developing the newer release. I've been a UTM user for a long time and now I'm adding in Splunk (which I'm a total novice). I struggled to find any app that would work with the UTM but yours has a great foundation. I've been going through updating the IPs to my network, my sourcetype had a different name, and it seems 'vendor_action' is no longer accurate and is 'action' now. Splunk is also showing deprecation on a lot of your lines but appears to still work. 

     

    Anyway, I'm certainly not complaining but wondered if you had any updates, information to add, etc. Overall this is a huge step from just viewing raw syslog!

     

    FWIW, I'm on the latest release of everything. UTM 9.503, Splunk 7.0.0, and your app release 1.5

Reply
  • Hi BryanSchaefer,

     

    I know this is quite old post but wondering if you ever got anywhere on developing the newer release. I've been a UTM user for a long time and now I'm adding in Splunk (which I'm a total novice). I struggled to find any app that would work with the UTM but yours has a great foundation. I've been going through updating the IPs to my network, my sourcetype had a different name, and it seems 'vendor_action' is no longer accurate and is 'action' now. Splunk is also showing deprecation on a lot of your lines but appears to still work. 

     

    Anyway, I'm certainly not complaining but wondered if you had any updates, information to add, etc. Overall this is a huge step from just viewing raw syslog!

     

    FWIW, I'm on the latest release of everything. UTM 9.503, Splunk 7.0.0, and your app release 1.5

Children
No Data