Filebeat for Sophos XG Firewall

kal1s · July 30, 2019, 4:53pm

Hi,

Will be possible to have Filebeat for Sophos XG FIrewall and integrated with Elastic SIEM like Filebeat Cisco?

Best Regards,

Ricardo Calimanis

tudor · July 31, 2019, 6:26am

Hi Ricardo,

We don't currently have a Filebeat module dedicated for Sophos. We are building a list of devices that we want to integrate with, so this input is valuable.

In the meantime, you can probably use the Filebeat syslog and netflow inputs to ingest some of the data from Sophos. Let me us know if you have any questions.

kal1s · July 31, 2019, 5:08pm

Hi Tudor,

Thank you for the information!

We're testing Elastic Stack and we are having support from Kelly Costa (User Success Manager from Elastic).

She's doing a very awseome job supporting us.

She sent informations showing that we can execute Beats inside the XG Firewall.

With that information, we tried and worked!

Was possible to execute Filebeat, Metricbeat, and Packetbeat.

Auditbeat has an error about kernel support, but we'll investigate that.

Now we started a conversation with Sophos to understand if we can execute these agents inside the XG Firewall without losing their support.

I think is a good moment to understand how can we create these Beats for Sophos XG Firewall.

With time, we need to understand how we can create the service for these Beats to survive on reboot.

I'm sending some screenshots to you see that working.

The hostname is not "localhost" other thing we need to investigate, but on the shell that is the hostname of our XG Firewall.

Best Regards,

Ricardo Calimanis

tudor · August 1, 2019, 7:12am

That's very interesting, thank you for coming back with that!

kal1s · August 1, 2019, 3:15pm

Tudor,

I made this video to explain how I did that implementation.

Best Regards,

Ricardo Calimanis

kal1s · August 5, 2019, 12:24pm

Guys,

For whom want the Elastic Beats implemented on Sophos XG Firewall, please vote in the idea posted on idea.sophos.com:

Best Regards!

Ricardo Calimanis

SCL_ADMIN · August 6, 2019, 3:33pm

This is a nice idea, but... I'm a bit concerned that when a new MR update it wipes out the Beat agents...

We also use XG Firewalls, but the method we use is to forward the syslog to the ELK stack (using rsyslog method).

kal1s · August 6, 2019, 5:47pm

Hi SCL_ADMIN

I have that concern too and rsyslog is a problem for us because we need to send that logs trough internet and we need scalable and resilient infrastructure.

Another thing is rsyslog send only logs. With Beats we are sending logs, performance metrics and network packets from XG Firewall to a Data Lake where we are sending these same metrics from desktops and mobiles. This way we are creating a Data Lake to create our SIEM and to apply Machine Learning in that Data to identify network behavior.

Yesterday Sophos returned and we lose the support of XG Firewall if we put third-party software that is not supported by them.

The solution for that is asking to Sophos to implement natively Elastic Beats on XG Firewall.

Sophos Ideas is the way to do that, and known that I posted that idea there: http://idea.sophos.com/

If you want that, please vote in that idea for they have sufficient customers wanting that for they start thinking in this implementation:

I hope helped!

Best Regards,

Ricardo Calimanis

SCL_ADMIN · August 7, 2019, 4:15pm

You have my upvote

system · September 4, 2019, 4:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.