Collecting Sophos XG logs using the Sophos integration feature


I'm currently trying to integrate Sophos XG firewall logs into my ELK stack via the Filebeat Sophos module. My setup involves sending logs directly from my Sophos XG device to Elasticsearch, bypassing Logstash. The logs are being sent in syslog format via UDP.

I've set the integration to listen on port 9005 for syslog data and I've confirmed through traffic capture that my ELK stack is receiving UDP packets from my firewall. However, the data doesn't appear in Elasticsearch.

Any help would be greatly appreciated.

Thank you.

Welcome to the community.

You going to need to provide more information so we can help.

Please share your filebeat.yml and the sophos.yml

Did you run
filebeat setup -e

before running filebeat?

Did you look at the filebeat logs and look for the UDP port opening?

Do you see a UDP port open and listening?

Did you look for any errors in the filebeat logs?

How did you install andare you starting filebeat?

Did you try

filebeat test output

I'm using Sophos integration on Elasticsearch, and I'm unsure whether I should send logs directly to Elasticsearch or first send them to a syslog server and then ship them to Elasticsearch via Elastic Agent.

Apologies, I'm a little bit confused. You were talking about filebeat above now you're talking about Elastic Agent either is fine but they are two different things.

I don't believe you need to put in a syslog server / relay and if you're just getting started I would think that less components would be better. Filebeat or the Elastic agent will act as a syslog collector You don't need anything in between as far as I know. Straight from the sofas firewall to filebeat it Elastic Agent should work.

I would follow the recommendations from Sophos.

Thank you! I'm new to Elastic and Filebeat, but as far as I understand, Elastic Agent utilizes Filebeat to capture UDP syslog packets (which worked for me). By the way, Sophos does not allow to install or use agent directly

Right but if you put the Elastic Agent or Filebeat on a VM that Sophos can send the Logs to via UDP you do not need to put anything in between.

Sophos Syslog UDP Forwarder -> Agent / Filebeat UDP Listener (separate VM) -> Elastic

And yes Agent uses Filebeat under the covers today...

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.