I'm currently trying to integrate Sophos XG firewall logs into my ELK stack via the Filebeat Sophos module. My setup involves sending logs directly from my Sophos XG device to Elasticsearch, bypassing Logstash. The logs are being sent in syslog format via UDP.
I've set the integration to listen on port 9005 for syslog data and I've confirmed through traffic capture that my ELK stack is receiving UDP packets from my firewall. However, the data doesn't appear in Elasticsearch.
I'm using Sophos integration on Elasticsearch, and I'm unsure whether I should send logs directly to Elasticsearch or first send them to a syslog server and then ship them to Elasticsearch via Elastic Agent.
Apologies, I'm a little bit confused. You were talking about filebeat above now you're talking about Elastic Agent either is fine but they are two different things.
I don't believe you need to put in a syslog server / relay and if you're just getting started I would think that less components would be better. Filebeat or the Elastic agent will act as a syslog collector You don't need anything in between as far as I know. Straight from the sofas firewall to filebeat it Elastic Agent should work.
Thank you! I'm new to Elastic and Filebeat, but as far as I understand, Elastic Agent utilizes Filebeat to capture UDP syslog packets (which worked for me). By the way, Sophos does not allow to install or use agent directly
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.