Sophos Central Logs - Api Integration - Logs not visible in dashboard

78 views

Skip to first unread message

vault wazuh

unread,

Jun 6, 2023, 1:39:24 AM6/6/23

to Wazuh mailing list

Hi Team,

We have done sophos integration using sophos siem api. The log data is called out from the sophos central through sophos siem api from the wazuh server running on virtual box installed using wazuh ova.

The file result.txt where log data has been stored is been added to the local file tag, in the ossec.conf file in the server. I can see in the logs that the included file has been processed by wazuh manager. The issue we have encountered is that when we try to visualize the logs from sophos central on wazuh - discover mode, we are unable to view the logs. Requesting support and guidance on what we could be doing wrong or what needs to be done to resolve the issue.

Sophos Logs - Log Test - Wazuh Decoder.png

Sophos - Api Call - Logs - Result File.png

Wazuh - Logcollector - Analyzing File - Result File Included.png

Gonzalo Membrillo Solbes

unread,

Jun 6, 2023, 3:34:04 AM6/6/23

to Wazuh mailing list

Hello,

Thank you for all the information you have provided alongside your inquiry. Thanks to the logtest image, we can verify that, while the JSON decoder correctly extracts information from the log you fed it, it triggers no rules.

Generally speaking, when you test an event on the logtest, there are 3 phases. As you have seen, phases 1 and 2 related to decoding the message while phase 3 matches the decoded information to an existing rule within your environment. Since phase 3 is missing on your screenshot, we can verify that your logs do not match with any rules in the default ruleset and, as such, you will need to make some custom rules to match your criteria.

We have some handy guides that cover this process, as well as documentation that explains the syntax and capabilities of the ruleset. I will link both of those here:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

https://documentation.wazuh.com/current/user-manual/ruleset/index.html

Once you have made some rules that trigger on your specific logs, you will begin seeing the alerts appear on your dashboard. Both on the Discover tab as well as Wazuh's Security Events module.

I hope you find this helpful. Do feel free to let us know if you need anything else.

Best regards,

Gonzalo

Reply all

Reply to author

Forward

0 new messages