Need assistance to integrate sophos central with wazuh
532 views
Skip to first unread message
Meraz Khan
May 6, 2024, 4:01:35 AM5/6/24
to Wazuh | Mailing List
Dear Support
First of all i'll tell you steps that i make
1 - clone https://github.com/sophos/Sophos-Central-SIEM-Integration on root
2 - folder Sophos-Central-SIEM-Integration created
3 - log to Sophos-Central-SIEM-Integration with command cd Sophos-Central-SIEM-Integration
4 - edit config.ini with client id and client id secret
5 - run siem.py with python3
6 - when i run this command it create folder log and inside the folder text file with name result with bath /root/Sophos-Central-SIEM-Integration/log/result.txt
7- Edit the Wazuh agent configuration file (/var/ossec/etc/ossec.conf) to monitor the directory where Sophos logs are stored with this configuration
<localfile>
<log_format>syslog</log_format>
<location>/root/Sophos-Central-SIEM-Integration/log/result.txt</location>
</localfile>
8- i create a group SophosLog and add the agent into the group
the group configuration is
<agent_config>
<localfile>
<log_format>syslog</log_format>
<location>/root/Sophos-Central-SIEM-Integration/log/result.txt</location>
</localfile>
</agent_config>
<localfile>
<log_format>syslog</log_format>
<location>/root/Sophos-Central-SIEM-Integration/log/result.txt</location>
</localfile>
</agent_config>
9 - create rules sample-rules-Sophos.xml with this configuration
<group name="sophoslog,">
<rule id="100075" level="0">
<decoded_as>json</decoded_as>
<field name="app-name">sophos</field>
<description>Sophos central console logs</description>
</rule>
<rule id="100076" level="2">
<if_sid>100075</if_sid>
<field name="severity">low</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100077" level="5">
<if_sid>100075</if_sid>
<field name="severity">medium</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100078" level="10">
<if_sid>100075</if_sid>
<field name="severity">high</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100079" level="14">
<if_sid>100075</if_sid>
<field name="severity">critical</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
</group>
<rule id="100075" level="0">
<decoded_as>json</decoded_as>
<field name="app-name">sophos</field>
<description>Sophos central console logs</description>
</rule>
<rule id="100076" level="2">
<if_sid>100075</if_sid>
<field name="severity">low</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100077" level="5">
<if_sid>100075</if_sid>
<field name="severity">medium</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100078" level="10">
<if_sid>100075</if_sid>
<field name="severity">high</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
<rule id="100079" level="14">
<if_sid>100075</if_sid>
<field name="severity">critical</field>
<description>Sophos: $(severity) severity log on $(source_info.ip): $(type)</description>
</rule>
</group>
at last i can't see the logs on the dashboard what is the next step or any thing in this configuration is wrong
John E
May 6, 2024, 4:47:08 AM5/6/24
to Wazuh | Mailing List
Hello @Meraz,
Sophos allows for Direct syslog integration.
With Wazuh running as a syslog server you could configure Sophos to send syslog events directly to Wazuh.
Also, Wazuh already has inbuilt decoders for Sophos logs.
Is there any particular reason you would not want to follow this route?
Regards
Meraz Khan
May 6, 2024, 5:35:18 AM5/6/24
to Wazuh | Mailing List
Hi John
so can you help me the direction like step by step so i can achieve this one , see i am new to wazuuh just if you have another way please let me know
John E
May 6, 2024, 5:54:43 AM5/6/24
to Wazuh | Mailing List
Hello Meraz,
First you would want to configure Your Wazuh server to double up as a syslog server if you have not done so. to do that follow the below steps.
1. Add the below configuration in-between the <ossec_config> tags in the Wazuh manager's ossec.conf file.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Note: Make sure the subnet within the allowed-ips tag reflect your environment subnet, if you do not know this or you are not sure please allow from everything by using 0.0.0.0/0
Also, the local_ip tag should be the IP Address of the wazuh manager (which is now our syslog server).
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Note: Make sure the subnet within the allowed-ips tag reflect your environment subnet, if you do not know this or you are not sure please allow from everything by using 0.0.0.0/0
Also, the local_ip tag should be the IP Address of the wazuh manager (which is now our syslog server).
2. Restart the Wazuh manager.
systemctl restart wazuh-manager
John E
May 6, 2024, 6:02:50 AM5/6/24
to Wazuh | Mailing List
Here is the reference for the Wazuh syslog configuration: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Secondly, after setting up Wazuh as a syslog server you will have add the syslog connection details to Sophos.
to achieve this, Sophos has a detailed documentation to follow. https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html
Take note of the below.
- In the IP Address/Domain section you are to use the IP Address of the Wazuh server (Which has also become our syslog server).
- You do not need to tick the secure log transmission option.
- Enter the port as you have defined in the Wazuh ossec.conf file.
John E
May 6, 2024, 6:04:17 AM5/6/24
to Wazuh | Mailing List
General Note: If your solution is the Sophos central cloud, then the path i explained does not apply.
Meraz Khan
May 7, 2024, 3:40:26 AM5/7/24
to Wazuh | Mailing List
Hi John I have configured the wazuh syslog server
but cannot able to do this one
Secondly, after setting up Wazuh as a syslog server you will have add the syslog connection details to Sophos.
to achieve this, Sophos has a detailed documentation to follow. https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html , like how where i have to do this agent side or wazuh manager , and i have linux ubuntu machine as well as mac os so please help me out with this
waiting for your response
John E
May 7, 2024, 5:52:40 AM5/7/24
to Wazuh | Mailing List
Which Sophos Firewall are you using?
can you get the name and version number?
Reply all
Reply to author
Forward
0 new messages