Wazuh sophos integration
121 views
Skip to first unread message
Jayakrishnan P
Feb 24, 2023, 3:11:23 AM2/24/23
to Wazuh mailing list
Hi all,
I am learning to integrate Sophos API to Wazuh so that I could get logs from sophos AVs and sophos FWs. I saw scripts provided by sophos for integration with SIEMs( https://github.com/sophos/Sophos-Central-SIEM-Integration ). What I understand from the articles is that, we need to run periodically the script, with sophos API credentials, to call the sophos API. Scripts are run from the same centos7 machine as wazuh is installed (I am using wazuh ova downloaded from wazuh website and run inside virtualbox).
1. Is there any specific place in the centos file system from where the script should be
run. If needed where can I create a new folder to run the scripts. (I am very new to linux).?
Next thing I believe is when logs reach the wazuh server is it is stored in a text file called result.txt.
2. I need them to be analysed by the decoders and then by rules. It shouldn't stop it's journey there at result.txt. How can I get this log to be decoded and trigger rules if conditions are met?
Thanks
Jayakrishnan
David José Iglesias Lopez
Feb 24, 2023, 7:29:20 AM2/24/23
to Wazuh mailing list
Hello Jayakrishnan P,
1. There is no specific place, just create a scripts or sophos-scripts folder in your home directory for example.
2. Use localfile to make your Wazuh server analyze the logs: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile
1. There is no specific place, just create a scripts or sophos-scripts folder in your home directory for example.
2. Use localfile to make your Wazuh server analyze the logs: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile
Jayakrishnan P
Feb 27, 2023, 12:24:55 AM2/27/23
to Wazuh mailing list
Thanks a lot David. Will do as you said
Regards
Jayakrishnan
Reply all
Reply to author
Forward
0 new messages