Hello and welcome @bryonadams
I would indeed recommend playing around and getting yourself familiar with the products, but you are mostly correct with the current idea that you have.
SophosXG supports sending syslog data to a remote location, let's say a small virtual machine or a docker container, this small server runs filebeat, which is either installed your rpm/deb or just downloading a tar.gz file: Filebeat quick start: installation and configuration | Filebeat Reference [7.12] | Elastic
When you want to use modules for filebeat (or any of the other beats), usually you enable that module and configure the relevant parameters, each module has its own documentation page like this: Sophos module | Filebeat Reference [7.12] | Elastic
After configuring the module + configuring where filebeat is supposed to send data, which is usually your elasticsearch cluster, it should work out of the box.
Example would be, if you installed filebeat on a linux machine, after installation you would run something like this:
Open config file, scroll down to elasticsearch output and add the relevant host and credentials
Enable the module you want:
filebeat modules enable sophos
Open the config file for the module you enabled, in this case sophos:
Look up the documentation of the module for reference to what configuration is required, for sophos its usually the IP address the syslog would listen on, its port, the hostname of the firewall, and if you have multiple firewalls you create a list of hostnames and their serial numbers (the serial numbers is specific to Sophos XG, as they don't include hostnames in syslog for some reason..).
If there is any other modules you are interested in, the procedure is the same