Filebeat for Sophos XG Firewall

Hi,

Will be possible to have Filebeat for Sophos XG FIrewall and integrated with Elastic SIEM like Filebeat Cisco?

Best Regards,

Ricardo Calimanis

Hi Ricardo,

We don't currently have a Filebeat module dedicated for Sophos. We are building a list of devices that we want to integrate with, so this input is valuable.

In the meantime, you can probably use the Filebeat syslog and netflow inputs to ingest some of the data from Sophos. Let me us know if you have any questions.

Hi Tudor,

Thank you for the information!

We're testing Elastic Stack and we are having support from Kelly Costa (User Success Manager from Elastic).

She's doing a very awseome job supporting us.

She sent informations showing that we can execute Beats inside the XG Firewall.

With that information, we tried and worked!

Was possible to execute Filebeat, Metricbeat, and Packetbeat.

Auditbeat has an error about kernel support, but we'll investigate that.

Now we started a conversation with Sophos to understand if we can execute these agents inside the XG Firewall without losing their support.

I think is a good moment to understand how can we create these Beats for Sophos XG Firewall.

With time, we need to understand how we can create the service for these Beats to survive on reboot.

I'm sending some screenshots to you see that working.

The hostname is not "localhost" other thing we need to investigate, but on the shell that is the hostname of our XG Firewall.

Best Regards,

Ricardo Calimanis

1 Like

That's very interesting, thank you for coming back with that!

1 Like

Tudor,

I made this video to explain how I did that implementation.

Best Regards,

Ricardo Calimanis

2 Likes

Guys,

For whom want the Elastic Beats implemented on Sophos XG Firewall, please vote in the idea posted on idea.sophos.com:

Best Regards!

Ricardo Calimanis

This is a nice idea, but... I'm a bit concerned that when a new MR update it wipes out the Beat agents...

We also use XG Firewalls, but the method we use is to forward the syslog to the ELK stack (using rsyslog method).

Hi SCL_ADMIN

I have that concern too and rsyslog is a problem for us because we need to send that logs trough internet and we need scalable and resilient infrastructure.

Another thing is rsyslog send only logs. With Beats we are sending logs, performance metrics and network packets from XG Firewall to a Data Lake where we are sending these same metrics from desktops and mobiles. This way we are creating a Data Lake to create our SIEM and to apply Machine Learning in that Data to identify network behavior.

Yesterday Sophos returned and we lose the support of XG Firewall if we put third-party software that is not supported by them.

The solution for that is asking to Sophos to implement natively Elastic Beats on XG Firewall.

Sophos Ideas is the way to do that, and known that I posted that idea there: http://idea.sophos.com/

If you want that, please vote in that idea for they have sufficient customers wanting that for they start thinking in this implementation:

I hope helped!

Best Regards,

Ricardo Calimanis

You have my upvote :slight_smile:

1 Like