Wazuh and Sophos Integration.
165 views
Skip to first unread message
Vyom Thaker
Sep 30, 2022, 5:08:39 AM9/30/22
to Wazuh mailing list
I am working on Wazuh and Sophos firewall integration and I am unable to get any information on it. Please guide me on this. It will be very grateful.
Vyom Thaker
Sep 30, 2022, 5:21:03 AM9/30/22
to Wazuh mailing list
Hello everyone,
I am working on a project "Wazuh integration with sophos and watchguard firewall". And I am very confused about how the logs will come to the elastic. Can someone guide me to this???
I am working on a project "Wazuh integration with sophos and watchguard firewall". And I am very confused about how the logs will come to the elastic. Can someone guide me to this???
Vyom Thaker
Oct 1, 2022, 12:05:18 AM10/1/22
to Wazuh mailing list
I have configured syslog on my Sophos firewall. But from this point I am totally clueless. Can someone guide me to this. Any efforts will highly appreciated.
Thanks & Regard
Vyom Thaker
Vyom Thaker
Oct 3, 2022, 8:47:35 AM10/3/22
to Wazuh mailing list
Please guide me as soon as possible I am curiously waiting for your guidance
Regards & Thanks
Regards & Thanks
Christian Borla
Oct 24, 2022, 8:56:06 AM10/24/22
to Wazuh mailing list
Hi
Vyom Thaker.
I hope you are doing fine!
Sorry for the delay!
Wazuh alredy support a group of sophos logs, decoders are 0300-sophos_decoders.xml and 0510-sophos_fw_decoders.xml , and rules are 0415-sophos_rules.xml and 0705-sophos_fw_rules.xml.
But looks like some sophos firewal events are not supported, I found this example in the community chat, it's not working.
root@wazuh-master:/# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line
device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"
**Phase 1: Completed pre-decoding.
full event: 'device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"'
**Phase 2: Completed decoding.
No decoder matched.
Could you share any example log to test it?
The common way to collect events from sophos, is forwarding sophos logs by syslog
This is an example syslog configuration, if you want collecte events from the manager set it on ossec.conf manager side, if you want collecte events from the agent set it on ossec.conf agent side. Also configure your sophos to forward events to manager/agent ip and port 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
Always restar the agent or manager when it's ossec.conf file changes.
It's possible enable archives.json file to check if events are arriving to manager side. events before been processed should be in /var/ossec/logs/archive/archives.json. If archives file doesn't exist, enalble it on manager ossec.conf file, include log all options as following configuration
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
</global>
Then restart the manager. if you find some sophos events in /var/ossec/logs/archive/archives.json it means collecting events it's working.
Let me know if this information is useful.
Regards.
I hope you are doing fine!
Sorry for the delay!
Wazuh alredy support a group of sophos logs, decoders are 0300-sophos_decoders.xml and 0510-sophos_fw_decoders.xml , and rules are 0415-sophos_rules.xml and 0705-sophos_fw_rules.xml.
But looks like some sophos firewal events are not supported, I found this example in the community chat, it's not working.
root@wazuh-master:/# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line
device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"
full event: 'device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"'
**Phase 2: Completed decoding.
No decoder matched.
Could you share any example log to test it?
The common way to collect events from sophos, is forwarding sophos logs by syslog
This is an example syslog configuration, if you want collecte events from the manager set it on ossec.conf manager side, if you want collecte events from the agent set it on ossec.conf agent side. Also configure your sophos to forward events to manager/agent ip and port 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
Always restar the agent or manager when it's ossec.conf file changes.
It's possible enable archives.json file to check if events are arriving to manager side. events before been processed should be in /var/ossec/logs/archive/archives.json. If archives file doesn't exist, enalble it on manager ossec.conf file, include log all options as following configuration
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
</global>
Then restart the manager. if you find some sophos events in /var/ossec/logs/archive/archives.json it means collecting events it's working.
Let me know if this information is useful.
Regards.
Reply all
Reply to author
Forward
0 new messages