Kibana Add Data for Sophos XG

Trying to understand how I get logging out of XG and into Kibana. I watched some of the videos and got Elasticsearch and Kibana running on a VM. The document for Beats seems to say I'd push syslog from my firewall or other network appliance somewhere, the Beats digests it and sends it into Elasticsearch and Kibana. Is the idea for network appliances to use a syslog server somewhere that is separate from Elasticsearch and Kibana, then install Beats there to relay the logging information? Or would I point syslog to the single system I've set up and install Beats there?

Thanks! New to this and trying to wrap my head around it.

Hello and welcome @bryonadams :slight_smile:

I would indeed recommend playing around and getting yourself familiar with the products, but you are mostly correct with the current idea that you have.

SophosXG supports sending syslog data to a remote location, let's say a small virtual machine or a docker container, this small server runs filebeat, which is either installed your rpm/deb or just downloading a tar.gz file: Filebeat quick start: installation and configuration | Filebeat Reference [7.12] | Elastic

When you want to use modules for filebeat (or any of the other beats), usually you enable that module and configure the relevant parameters, each module has its own documentation page like this: Sophos module | Filebeat Reference [7.12] | Elastic

After configuring the module + configuring where filebeat is supposed to send data, which is usually your elasticsearch cluster, it should work out of the box.

Example would be, if you installed filebeat on a linux machine, after installation you would run something like this:

Open config file, scroll down to elasticsearch output and add the relevant host and credentials
vi /etc/filebeat/filebeat.yml
Enable the module you want:
filebeat modules enable sophos
Open the config file for the module you enabled, in this case sophos:
vi /etc/filebeat/modules.d/sophos.xml
Look up the documentation of the module for reference to what configuration is required, for sophos its usually the IP address the syslog would listen on, its port, the hostname of the firewall, and if you have multiple firewalls you create a list of hostnames and their serial numbers (the serial numbers is specific to Sophos XG, as they don't include hostnames in syslog for some reason..).

If there is any other modules you are interested in, the procedure is the same :slight_smile:

1 Like

Thank you Marius! I appreciate the quick reply.

I'll work on getting another VM going for the syslog server and get filebeat installed. The documentation made it look very easy. Then I think all I have to do is expose Elasticsearch to the rest of that network so filebeat can send data at it.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.