Sophos SIEM integration

41 views
Skip to first unread message

Jayakrishnan

unread,
Mar 23, 2023, 2:11:32 AM3/23/23
to Wazuh mailing list
Hi all

I am integrating sophos logs with wazuh using the scripts provided by Sophos. I currently do it with running the script and getting the logs into result.txt. I then configured wazuh manager to monitor this log file locally. All are working as of now. Is this the right way to do it? I have noticed in a portion in the script provided by Sophos about Syslog,
# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
# append_nul will append null at the end of log message if set to true
address = /var/run/syslog
facility = daemon
socktype = udp
append_nul = false
I didn't understand what they meant by remote address and how syslog comes in here. Can someone explain?
Message has been deleted

Francis Timilehin Jeremiah

unread,
Mar 23, 2023, 3:18:27 AM3/23/23
to Wazuh mailing list
Hello, Thanks for using Wazuh

You can configure the Wazuh agent to collect Sophos logs as you did or configure Sophos to send its logs to a Syslog server and then Wazuh collects the logs from the Syslog server. The remote address in this case is the IP of the Syslog server. To configure the Wazuh server to collect Syslog, check this documentation out. You will find these other links useful: 

Jayakrishnan

unread,
Mar 23, 2023, 5:33:40 AM3/23/23
to Wazuh mailing list
Thanks a lot for the information, Francis
Reply all
Reply to author
Forward
0 new messages