Dear there. Im trying to connect sophos firewall with elastic but i don't receive any logs.
Im deployed an agent with sophos integration, and i followed the instructions on the elastic, i add my firewall ip instead localhost ( udp).what i should to do ?
Can you share how you configured it?
Normally on those integrations you add the IP address of the server running the Elastic Agent and it will listen on it, then you need to configure your Firewall device to send logs to this IP/Port.
This is mentioned in the documentation.
To configure a remote syslog destination, please reference the SophosXG/SFOS Documentation.
sopoh firewall : 192.186.1.20/ 514 ( the ip of my elastic agent)
sophos integration Via UDP:
UDP host to listen on
192.186.1.20
UDP port to listen on
9549
syslogs host
0.0.0.0
9005
here is what im using
If you configured the Elastic Agent to list on port 9549
you need to configure your Sophos firewall to send logs to the IP of the Elastic Agent on this port.
Yeah, i understand that later . But what about the syslogs host ? Should i add the agent's ip with a different port?
What syslogs hosts? It is not clear what you are referring to.
The Sophos integration will only work for logs from Sophos firewall.
This is where you need to put the IP of the Elastic Agent or use 0.0.0.0
Same thing for the port, this is the port where the elastic agent will listen for the logs from your firewall.
Is 10.1.0.117
the IP of your Agent? This need to be the IP of the Elastic Agen server or use 0.0.0.0
.
You can just use 0.0.0.0
, but the ports needs to be different, choose a different port for each one of those inputs, also, avoid using port 514
as this port is reserved for the rsyslog
and you may already have a rsyslog
running in the Elastic Agent Server.
On the Timezone Offset you need to remove the local
word, look at the explanation, you need to set the timezone of your firewall in the +HH:mm
format, so if your firewall has a timeoffset of 3 hours, you need to configure it in this format, +03:00
or -03:00
.
This is all the configuration you need to do on the Elastic Agent, everything else is in your Sophos, you need to configure it to send Sophos Logs to the UDP/port you configured and the XG Logs to the other UDP/port you configured, but how you do that needs to be validated on Sophos documentation.
I'm also not sure if you should use both UTM and XG Logs, you would need to be able to configure in sophos to send those types of logs to different ports.
I would suggest that you configure it in steps, first configure the UTM logs and see if you are receiving the logs, then check in Sophos if you can send the XG Logs to a different port.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.