Integration sophos Firewall with elastic

Ahmad_Shrateh · April 5, 2023, 6:16pm

Dear there. Im trying to connect sophos firewall with elastic but i don't receive any logs.
Im deployed an agent with sophos integration, and i followed the instructions on the elastic, i add my firewall ip instead localhost ( udp).what i should to do ?

leandrojmp · April 5, 2023, 7:36pm

Can you share how you configured it?

Normally on those integrations you add the IP address of the server running the Elastic Agent and it will listen on it, then you need to configure your Firewall device to send logs to this IP/Port.

This is mentioned in the documentation.

To configure a remote syslog destination, please reference the SophosXG/SFOS Documentation.

Ahmad_Shrateh · April 6, 2023, 6:46am

sopoh firewall : 192.186.1.20/ 514 ( the ip of my elastic agent)

sophos integration Via UDP:
UDP host to listen on
192.186.1.20
UDP port to listen on
9549
syslogs host
0.0.0.0
9005

here is what im using

leandrojmp · April 6, 2023, 12:33pm

If you configured the Elastic Agent to list on port 9549 you need to configure your Sophos firewall to send logs to the IP of the Elastic Agent on this port.

Ahmad_Shrateh · April 6, 2023, 8:59pm

Yeah, i understand that later . But what about the syslogs host ? Should i add the agent's ip with a different port?

leandrojmp · April 6, 2023, 10:14pm

What syslogs hosts? It is not clear what you are referring to.

The Sophos integration will only work for logs from Sophos firewall.

Ahmad_Shrateh · April 6, 2023, 10:33pm

There is a section that needs to be filled out .

leandrojmp · April 6, 2023, 11:08pm

This is where you need to put the IP of the Elastic Agent or use 0.0.0.0

Same thing for the port, this is the port where the elastic agent will listen for the logs from your firewall.

Ahmad_Shrateh · April 9, 2023, 12:46pm

Not work!!

leandrojmp · April 9, 2023, 12:55pm

Is 10.1.0.117 the IP of your Agent? This need to be the IP of the Elastic Agen server or use 0.0.0.0.

You can just use 0.0.0.0 , but the ports needs to be different, choose a different port for each one of those inputs, also, avoid using port 514 as this port is reserved for the rsyslog and you may already have a rsyslog running in the Elastic Agent Server.

On the Timezone Offset you need to remove the local word, look at the explanation, you need to set the timezone of your firewall in the +HH:mm format, so if your firewall has a timeoffset of 3 hours, you need to configure it in this format, +03:00 or -03:00.

This is all the configuration you need to do on the Elastic Agent, everything else is in your Sophos, you need to configure it to send Sophos Logs to the UDP/port you configured and the XG Logs to the other UDP/port you configured, but how you do that needs to be validated on Sophos documentation.

leandrojmp · April 9, 2023, 1:17pm

I'm also not sure if you should use both UTM and XG Logs, you would need to be able to configure in sophos to send those types of logs to different ports.

I would suggest that you configure it in steps, first configure the UTM logs and see if you are receiving the logs, then check in Sophos if you can send the XG Logs to a different port.

system · May 7, 2023, 1:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.