wazuh with Sophos firewall and MDM and endpoint

raouf ernest

unread,

Jan 17, 2024, 8:44:18 AM1/17/24

to Wazuh | Mailing List

I need to know what the next step is after I configure the config.ini with client id and secret.

and run the script siem.py. NOTE: I need this script to run every 6-hour automatic

the script creates a folder log and inside this folder there is a file called result.txt with the logs from Sophos central.

I need to know after this step what can I do to receive this log on wazuh server by steps one by one i'm working as security network engineer i don't know how to write scripts.

Oluwaseyi Soneye

unread,

Jan 17, 2024, 12:32:35 PM1/17/24

to Wazuh | Mailing List

Hello,

Are you following any specific documentation? Also, can you clarify what your current setup/infrastructure looks like?

raouf ernest

unread,

Jan 21, 2024, 7:18:43 AM1/21/24

to Wazuh | Mailing List

First of all i'll tell you steps that i make

1 - clone https://github.com/sophos/Sophos-Central-SIEM-Integration on root

2 - folder Sophos-Central-SIEM-Integration created

3 - log to Sophos-Central-SIEM-Integration with command cd Sophos-Central-SIEM-Integration

4 - edit config.ini with client id and client id secret

5 - run siem.py with python3

6 - when i run this command it create folder log and inside the folder text file with name result with bath /root/Sophos-Central-SIEM-Integration/log/

that's all i need to know how to complete the setup to view the logs on wazuh dashboard and what is the next steps for this

raouf ernest

unread,

Feb 5, 2024, 4:31:57 AM2/5/24

to Wazuh | Mailing List

Why nobody answer me with steps like i do

Hatem

unread,

Feb 6, 2024, 8:48:37 AM2/6/24

to raouf ernest, Wazuh | Mailing List

Any updates

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c772da80-0d81-4737-b9c8-707c6df0be42n%40googlegroups.com.

Oluwaseyi Soneye

unread,

Feb 12, 2024, 6:34:12 AM2/12/24

to Wazuh | Mailing List

Hello,

For you to be able to send such logs to Wazuh, you'll need to use syslogs. Kindly follow the steps below as a guide:

Add the below configurations within the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file for it to listen for syslog messages on TCP port 514 for example:

<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>

Where:
<connection> specifies the type of connection to accept. This value can either be secure or syslog.
<port> is the port that listens for incoming syslog messages from endpoints. We use port 514 in the example above.
<protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.
<allowed-ips> is the endpoints' IP address or network range forwarding events to the Wazuh server. In the example above, we use 192.168.2.15/24. Your Sophos firewall should fall within the range.
<local_ip> is the IP address of the Wazuh server listening for incoming log messages. In the example above, we use 192.168.2.10. You can also check the link remote - local configuration documentation for more information on remote syslog options.

Restart the Wazuh manager to apply the changes with the command: systemctl restart wazuh-manager

To configure the syslog output on your network device, kindly check Sophos Firewall official guide below:
https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/Admin[…]torHelp/SystemServices/LogSettings/SyslogServerAdd/index.html

Once you're done with the above steps, you can inspect the network activities in the Wazuh manager using the tcpdump command to check if the syslog messages are reaching your manager. Kindly insert the right values for protocol, port and src e.g.
tcpdump -i any udp port 514 and src 10.0.0.2

Or you can also activate the <logall> and <logall_json> in the Wazuh manager's /var/ossec/etc/ossec.conf file by changing the value from no to yes .

Make sure you restart the Wazuh manager service after making the change. Enabling those options will help to forward all logs to the manager, both those that match a rule and the ones that don't, which will help you to confirm if the Sophos logs are reaching the Wazuh manager. You can use the below command to monitor the output of the logs:
tail -f /var/ossec/logs/archives/archives.log

After confirming, you'll then need to create matching decoders and rules for the logs using the below links as a guide:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Hope this helps. Cheers

raouf ernest

unread,

Feb 12, 2024, 7:07:22 AM2/12/24

to Wazuh | Mailing List

First of all I’ll tell you steps that i make

1 - clone https://github.com/sophos/Sophos-Central-SIEM-Integration on root

2 - folder Sophos-Central-SIEM-Integration created

3 - log to Sophos-Central-SIEM-Integration with command cd Sophos-Central-SIEM-Integration

4 - edit config.ini with client id and client id secret

5 - run siem.py with python3

6 - when i run this command it create folder log and inside the folder text file with name result with bath /root/Sophos-Central-SIEM-Integration/log/result.txt

Simple of data in the result.txt file is

{"endpoint_id": "50b932b5-14f7-4744-826e-26de8035184c", "source_info": {"ip": "192.168.1.2"}, "customer_id": "61e0e776-f1bc-47df-8ea3-febea2a23796", "severity": "low", "endpoint_type": "computer", "type": "Event::Endpoint::WebControlViolation", "group": "WEB", "id": "37ac7edf-1ba6-457f-9f39-4e0c64d6b925", "name": "'https://13.107.213.43/' blocked due to category 'Uncategorized'", "datastream": "event", "duid": "65bb6857489f8d665e3e2670", "rt": "2024-02-08T13:40:31.469Z", "end": "2024-02-08T13:40:24.000Z", "suser": "DESKTOP-UUOAIB2\\ITD", "dhost": "DESKTOP-UUOAIB2"}

{"endpoint_id": "ed862a32-809f-4aef-8c13-a384be32d453", "source_info": {"ip": "10.116.29.60"}, "customer_id": "61e0e776-f1bc-47df-8ea3-febea2a23796", "severity": "low", "endpoint_type": "computer", "type": "Event::Endpoint::Device::Blocked", "group": "PERIPHERALS", "id": "8bc77870-b95f-428d-91c7-39e675c1dcd0", "name": "Peripheral blocked: Linux File-CD Gadget USB Device", "datastream": "event", "duid": "64f849dd3fe5cb7175802a8f", "rt": "2024-02-08T13:43:07.977Z", "end": "2024-02-08T13:43:07.973Z", "suser": "Hossam AbdelHakim", "dhost": "LP-BRC-MNY-028"}

{"endpoint_id": "ed862a32-809f-4aef-8c13-a384be32d453", "source_info": {"ip": "10.116.29.60"}, "customer_id": "61e0e776-f1bc-47df-8ea3-febea2a23796", "severity": "low", "endpoint_type": "computer", "type": "Event::Endpoint::Device::Blocked", "group": "PERIPHERALS", "id": "3290e517-b857-4e4d-b73c-0109ea28a9ae", "name": "Peripheral blocked: Huawei gr5 2017", "datastream": "event", "duid": "64f849dd3fe5cb7175802a8f", "rt": "2024-02-08T13:43:07.985Z", "end": "2024-02-08T13:43:07.980Z", "suser": "Hossam AbdelHakim", "dhost": "LP-BRC-MNY-028"}

7 - i create a group with name ( SophosLog ) and add the agent into the group the group configuration is in wazuh manager and put the agent into the group

<log_format>syslog</log_format>

<location>/root/Sophos-Central-SIEM-Integration/log/result.txt</location>

</localfile>

8 – I create rule with this configuration

Name for the rule SophosTest.xml with this configuration

<decoded_as>json</decoded_as>

<field name="app-name">sophos</field>

<description>Sophos central console logs</description>

</rule>

<if_sid>100080</if_sid>

<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>

</rule>

<if_sid>100080</if_sid>

<field name="severity">medium</field>

<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>

</rule>

<if_sid>100080</if_sid>

<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>

</rule>

<if_sid>100080</if_sid>

<field name="severity">critical</field>

<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>

</rule>

</group>

9- in the agent side I update the agent configuration with this configuration

<!--

Wazuh - Agent - Default configuration for centos 7.9

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

</server>

<config-profile>centos, centos7, centos7.9</config-profile>

<notify_time>10</notify_time>

<time-reconnect>60</time-reconnect>

<auto_restart>yes</auto_restart>

<crypto_method>aes</crypto_method>

<agent_name>SophosLog</agent_name>

<groups>SophosLog</groups>

<authorization_pass_path>etc/authd.pass</authorization_pass_path>

</enrollment>

</client>

<client_buffer>

<queue_size>5000</queue_size>

<events_per_second>100</events_per_second>

</client_buffer>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>

<ciscat_path>wodles/ciscat</ciscat_path>

</wodle>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<scan_on_start>yes</scan_on_start>

<max_eps>10</max_eps>

</synchronization>

</wodle>

<sca>

<scan_on_start>yes</scan_on_start>

<skip_nfs>yes</skip_nfs>

</sca>

<scan_on_start>yes</scan_on_start>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<process_priority>10</process_priority>

<max_eps>50</max_eps>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<active-response>

<ca_store>etc/wpk_root.pem</ca_store>

<ca_verification>yes</ca_verification>

</active-response>

<log_format>plain</log_format>

</logging>

</ossec_config>

<ossec_config>

<log_format>audit</log_format>

<location>/var/log/audit/audit.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

<location>/root/Sophos-Central-SIEM-Integration/log/result.txt</location>

</localfile>

</ossec_config>

after that i run this command

cat /var/ossec/logs/archives/archives.log | grep SophosLog

and the result attached

New Text Document (3).txt

Oluwaseyi Soneye

unread,

Feb 15, 2024, 9:31:00 AM2/15/24

to Wazuh | Mailing List

Hello,

Can you clarify? If the requirement is to send logs to Wazuh from Sophos, you can simply use syslog and use the steps shared in the thread earlier.

If the requirement is to parse the content of the result.txt file, you would need to create a decoder and rules. More info on log collection here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html

To have a better understanding of how the decoders and rules creation work, please, take a look at the following links:

Message has been deleted

Jeancar Pérez

unread,

Feb 15, 2024, 10:33:53 AM2/15/24

to Wazuh | Mailing List

Hello,
A while ago I achieved the connection between wazuh and sophos central but I did it differently.
After step 5
6. I went to <ossec_config> and added

<wodle name="command">
<disabled>no</disabled>
<tag>Sophos_Integration</tag>
<command>/usr/bin/python3.10 /home/wazuh-user/Sophos-Central-SIEM-Integration/siem.py /home/wazuh-user/Sophos-Central-SIEM-Integration/log/result.txt</command >
<interval>1h</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>

In your case you must configure it with the time interval of 6 hours and the correct route, you can check it with pwd.

7. Add localfile in json format and with the specific path of result.txt

<localfile>
<log_format>json</log_format>
<command>/home/wazuh-user/Sophos-Central-SIEM-Integration/log/result.txt</command>
</localfile>

8. Save and restart Wazuh-manager

9. Enable centralized configuration in /var/ossec/etc/local_internal_options.conf and add wazuh_command.remote_commands=1

10. Check that it is working in the wazuh security events or in Management > Logs > wazuh-modulesd:command

Hope this can help you

raouf ernest

unread,

Feb 25, 2024, 5:06:23 AM2/25/24

to Wazuh | Mailing List

Dear jeancar

Kindly you edit ossec_config in the server side or client side

raouf ernest

unread,

Feb 25, 2024, 8:24:32 AM2/25/24

to Wazuh | Mailing List

Dear all

Kindly find logs i got from the client side that i receive from the agent and didn't receive any log from sophos central

@timestamp 2024-02-25T12:57:25.907Z

_id moVX4I0BN864gPQqiVmG

agent.id 006

agent.ip 10.10.2.36

agent.name SophosLog

data.file /var/lib/docker/overlay2/8d9e4f52a2375da7873fd4e126f0bc85c4a37bd08e3fca8d909c97f8f05952fb/lower

data.title File is owned by root and has written permissions to anyone.

decoder.name rootcheck

full_log File '/var/lib/docker/overlay2/8d9e4f52a2375da7873fd4e126f0bc85c4a37bd08e3fca8d909c97f8f05952fb/lower' is owned by root and has written permissions to anyone.

id 1708865845.19592189

input.type log

location rootcheck

manager.name Wazuh.local

rule.description Host-based anomaly detection event (rootcheck).

rule.firedtimes 1160

rule.gdpr IV_35.7.d

rule.groups ossec, rootcheck

rule.id 510

rule.level 7

rule.mail false

rule.pci_dss 10.6.1

timestamp 2024-02-25T14:57:25.907+0200

raouf ernest

unread,

Feb 25, 2024, 8:28:24 AM2/25/24

to Wazuh | Mailing List

and this is the log from centeral

sophos log.JPG

Jeancar Pérez

unread,

Feb 26, 2024, 10:01:43 AM2/26/24

to Wazuh | Mailing List

You must make the modification in the wazuh ossec (server), but first try this command.
If the result.txt logs are updated you are close to completing the integration. Remember to change the path to the correct one, change the version of python you use, and run the script as root.
/usr/bin/python3.10 /home /path-to/Sophos-Central-SIEM-Integration/siem.py /home/path-to/Sophos-Central-SIEM-Integration/log/result.txt

If everything is ok you should create a bash to run the script, let me know how it goes so I can help you with the next step.

raouf ernest

unread,

Feb 27, 2024, 4:46:21 AM2/27/24

to Wazuh | Mailing List

step 7. Add localfile in json format and with the specific path of result.txt

you mean to put this configuration in the agent

raouf ernest

unread,

Feb 27, 2024, 5:43:57 AM2/27/24

to Wazuh | Mailing List

AxiosError@https://10.10.2.35/47202/bundles/plugin/wazuh/wazuh.plugin.js:1:99982 settle@https://10.10.2.35/47202/bundles/plugin/wazuh/wazuh.plugin.js:8:20234 onloadend@https://10.10.2.35/47202/bundles/plugin/wazuh/wazuh.plugin.js:8:25714

Jeancar Pérez

unread,

Feb 27, 2024, 1:44:31 PM2/27/24

to Wazuh | Mailing List

Dear, you must also add the localfile on the server, you can add it almost at the end to have the most organized configuration and it must have the specific path of the result.txt
Did you manage to try the command? If so, can I update the logs?

Jeancar Pérez

unread,

Feb 27, 2024, 1:53:21 PM2/27/24

to Wazuh | Mailing List

If everything is fine, on the wazuh server go to Management > Logs > wazuh-modulesd:command.
Otherwise, send a capture about the error you have.

wazuh-sophos.PNG

Message has been deleted

raouf ernest

unread,

Mar 12, 2024, 5:35:17 AM3/12/24

to Wazuh | Mailing List

i have this error

error wazuh.jpg

raouf ernest

unread,

Mar 12, 2024, 7:50:29 AM3/12/24

to Wazuh | Mailing List

Kindly note i have the logs in another server

wazuh server ip 10.10.2.35

and sophos log server 10.10.2.36

Jeancar Pérez

unread,

Mar 14, 2024, 4:50:44 PM3/14/24

to Wazuh | Mailing List

I think it is due to an internal Wazuh error, I wouldn't be able to give you a solution.

Jeancar Pérez

unread,

Mar 14, 2024, 4:53:37 PM3/14/24

to Wazuh | Mailing List

If you have the Sophos logs on another server, I think you should use another configuration, I used the same Wazuh server to generate the script and obtain the Sophos logs.

Reply all

Reply to author

Forward