Sophos endpoint AND sap logs

114 views
Skip to first unread message

mahlatse kekae

unread,
Feb 19, 2025, 6:35:16 AM2/19/25
to Wazuh | Mailing List
Good day,

I trust you are well.

I need help with step by step on how to add SAP user  activity logs and Sophos endpoint logs to Wazuh.

Attached are screenshot of settings i added to the config file.
SAP.png
Sophos.png

Olamilekan Abdullateef Ajani

unread,
Feb 19, 2025, 8:31:10 AM2/19/25
to Wazuh | Mailing List
Hello  mahlatse,

Regarding reading from a log file, you are almost there, Your localfile looks good, if that is your log paths.

Since this is out of the way, you need to check the Wazuh Discover dashboard for those events. But please note Wazuh might not be able to decode your logs if the logs do not match a decoder, which means you might have to write decoders and rules to match your logs and trigger an alert, see reference below.

If you do not see your logs on the dashboard, please follow this procedure to enable archives.

   Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf <global> tag and set the below to yes
          <logall>yes</logall>
          <logall_json>yes</logall_json>

restart the wazuh manager to reflect configuration changes.

systemctl restart wazuh-manager

you can monitor the archives.json file with cat /var/ossec/logs/archives/archives.json for changes and verify that the logs are visible.
you can disable the archive logging afterwards.

The above step is to ensure the logs from the file are being processed.

Once this is done, you can create custom decoders and rules to capture the events that are interesting to you.

Let me know if you require further assistance on this.

Ref:

mahlatse kekae

unread,
Feb 20, 2025, 9:23:55 AM2/20/25
to Olamilekan Abdullateef Ajani, Wazuh | Mailing List
Hi Olamilekan,

Thank you very much.

I have applied the wazuh manager configs as instrusted and i now need help with Once this is done, you can create custom decoders and rules to capture the events that are interesting to you.

On Thu, Feb 20, 2025 at 3:47 PM mahlatse kekae <mahlats...@gmail.com> wrote:


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/8WD-EtVo5w4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/311033d1-0194-4734-853b-8bc7e1b50e1bn%40googlegroups.com.

mahlatse kekae

unread,
Feb 20, 2025, 9:24:03 AM2/20/25
to Olamilekan Abdullateef Ajani, Wazuh | Mailing List
On Wed, Feb 19, 2025 at 3:31 PM 'Olamilekan Abdullateef Ajani' via Wazuh | Mailing List <wa...@googlegroups.com> wrote:
--

Olamilekan Abdullateef Ajani

unread,
Feb 21, 2025, 2:59:16 AM2/21/25
to Wazuh | Mailing List
Hello Mahlatse,

To assist you with decoders and rules, you need to perform the check from the response which I have also shared below, once you get the logs, please share them so I can assist you further.



If you do not see your logs on the dashboard, please follow this procedure to enable archives.

   Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf <global> tag and set the below to yes
          <logall>yes</logall>
          <logall_json>yes</logall_json>

restart the wazuh manager to reflect configuration changes.

systemctl restart wazuh-manager

you can monitor the archives.json file with cat /var/ossec/logs/archives/archives.json | grep "part-of-your-log" for changes and verify that the logs are visible.

you can disable the archive logging afterwards.

The above step is to ensure the logs from the file are being processed.

Once you have the logs, please share samples

mahlatse kekae

unread,
Feb 28, 2025, 7:21:54 AM2/28/25
to Wazuh | Mailing List
Hi all ,

Please see the attached log.

archives.json.txt

Olamilekan Abdullateef Ajani

unread,
Feb 28, 2025, 7:38:13 AM2/28/25
to Wazuh | Mailing List
Hello Mahlatse,

I just reviewed your logs, you can also see attached. The logs you shared are not sophos logs, they are windows error logs and from the test, you can see it matches rule 1002 which is for "unknown problem somewhere in the system.

You can also review the logs you shared too. If you need assistance on this, you need to share the logs related to sophos and SAP. You can get them from the source I shared earlier.

Alternatively, you can run the logs via the wazuh logtest engine to see how the logs decodes and see if it fits your use case before sharing: /var/ossec/bin/wazuh-logtest and paste the logs to see the flow.

error-logs2.png
error-logs.png

mahlatse kekae

unread,
Feb 28, 2025, 7:38:59 AM2/28/25
to Wazuh | Mailing List
From the event i can see SQL login failure however i cant see SAP logs
sql.png

Olamilekan Abdullateef Ajani

unread,
Feb 28, 2025, 8:51:56 AM2/28/25
to Wazuh | Mailing List
Hello Mahlatse,

Could you try and check the archives.json file as suggested below: Before then, try and trigger the alert from the sophos point of view.

Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf <global> tag and set the below to yes
          <logall>yes</logall>
          <logall_json>yes</logall_json>

restart the wazuh manager to reflect configuration changes.

systemctl restart wazuh-manager

you can monitor the archives.json file with cat /var/ossec/logs/archives/archives.json | grep "sophos-type-of-log" for changes and verify that the logs are visible.

you can disable the archive logging afterwards.

The above step is to ensure the logs from the file are being processed.

If after triggering the alert you still cannot find the alert in archives.json file, that means the logs are not being ingested into Wazuh, you need to review the syslog integration.


Ref:

mahlatse kekae

unread,
Feb 28, 2025, 9:27:08 AM2/28/25
to Wazuh | Mailing List
Hi,

Thank you for your assitance. This is already in-place, do i need to define Sophos endpoint log location 
Wazuh server.png

mahlatse kekae

unread,
Mar 3, 2025, 7:27:04 AM3/3/25
to Wazuh | Mailing List
Hi all,

I still need you help with this issue.

mahlatse kekae

unread,
Mar 3, 2025, 7:31:50 AM3/3/25
to Wazuh | Mailing List
Hi All,

Please see the attached ossec.conf file for my pc and i still dont see sophos logs on wazuh server dashboard.

ossec.conf

Olamilekan Abdullateef Ajani

unread,
Mar 3, 2025, 8:46:08 AM3/3/25
to Wazuh | Mailing List
Hello Mahlatse,

From the configuration you shared, I do not see where you defined the sophos log path into the localfile. Please follow the steps below as I have defined earlier.

  • Add the line below into the agents ossec file, this should mimic your sophos log.
<localfile>
  <location>/path-to-log/sophos.log</location>
  <log_format>syslog</log_format>
</localfile>

  • Once the above is done, confirm sophos is writing logs to the specified path by checking the file and ensuring you have the logs.
  • On the Wazuh server, enable archive to ensure Wazuh is able to collect these logs (Wazuh agent to Server)
Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf <global> tag and set the below to yes
          <logall>yes</logall>
          <logall_json>yes</logall_json>

restart the wazuh manager to reflect configuration changes.

systemctl restart wazuh-manager

you can monitor the archives.json file with cat /var/ossec/logs/archives/archives.json | grep "sophos-type-of-log" for changes and verify that the logs are visible.

you can disable the archive logging afterwards.

  • You should be able to see the logs now, but if you cannot see the logs, then you need to check the log file on the agent and ensure sophos is forwarding logs to it.
To troubleshoot this further, please share the "C:\Program Files (x86)\ossec-agent\ossec.log" on the Wazuh agent.

mahlatse kekae

unread,
Mar 5, 2025, 2:28:38 PM3/5/25
to Wazuh | Mailing List
Hi Support,

Please find the ossec.log   file for further troubleshooting.

Thank you

ossec.conf

mahlatse kekae

unread,
Mar 6, 2025, 6:05:58 AM3/6/25
to Wazuh | Mailing List
Good day,

Please assist with troubleshooting. 

Olamilekan Abdullateef Ajani

unread,
Mar 6, 2025, 8:44:15 AM3/6/25
to Wazuh | Mailing List
Hello Mahlatse,

I believe the configuration path to capture your sophos logs is below, as seen from the configuration you shared:

<localfile> <location>C:\Users\MyUser\fake.txt</location> <log_format>syslog</log_format> </localfile>

I would advice the extension be .log instead of a txt file. Aside this could you confirm the file is generating the logs, are there logs in the file? If not then you need to check the syslog configuration on sophos as that means it is not writing to that file.

And please ensure that path is correct by right clicking on the file and selecting copy as path to capture the path before pasting to the localfile and removing the quotes.

And again, how are you receiving the logs on the windows endpoint, did you setup logstash to  collect the logs from sophos firewall? If you dont have that, then it wont work. Logstash is a form of syslog collector for windows, please refer to this documentation.

Once you do all these, follow the instructions stated in my previous response regarding capturing the logs and you should have the alerts on the dashboard.

Reply all
Reply to author
Forward
0 new messages