Sophos Logs are not showing in Wazuh

1,156 views
Skip to first unread message

Sayontani Bose

unread,
Aug 27, 2020, 1:55:13 AM8/27/20
to Wazuh mailing list

Hi All

I have configured the Sophos API integration and changes made in config.ini file and run the file siem.py with python3  :

Screenshot from 2020-08-27 11-19-21.png

And also made changes in ossec.conf file :
Screenshot from 2020-08-27 11-21-24.png

so after running siem.py logs are coming in result.txt but logs are not coming and also not showing in Wazuh .

Please help me with it .

Thanks & Regards
Sayontani

Francisco Navarro

unread,
Aug 27, 2020, 3:42:28 AM8/27/20
to Wazuh mailing list

Greetings,


Apparently it seems that everything is correct, let's see if we can find where the problem is. Foremost, when you say that your logs are not showing in Wazuh, I understand that they don't appear in our Kibana app, right? Wazuh log data collection works by generating alerts based on rules and decoders for relevant events in your endpoints. Even if Wazuh Manager is receiving the logs and analyzing them, these logs could be ignored if they don't trigger any rule which marks them as important!  For more information about how does Wazuh log data collection works, read https://documentation.wazuh.com/3.13/user-manual/capabilities/log-data-collection/how-it-works.html


Also, it is interesting to use the `ossec-logtest` tool to check if your logs are being correctly decoded.  Read https://documentation.wazuh.com/3.13/user-manual/reference/tools/ossec-logtest.html for more information.


That said, Wazuh has a simple decoder and some rules for Sophos antivirus, you could check them here: https://github.com/wazuh/wazuh-ruleset/blob/317052199f751e5ea936730710b71b27fdfe2914/decoders/0300-sophos_decoders.xml and https://github.com/wazuh/wazuh-ruleset/blob/317052199f751e5ea936730710b71b27fdfe2914/rules/0415-sophos_rules.xml


If you examine them, you will presumably see why you're not "seeing your logs." The default rules for Sophos are reasonably simple, and they just alert you from service start or completed scanning. I could help you to write a simple rule to create alerts for all incoming logs and then, If you wish, you could create more specific children's rules for that one. The log format could vary between versions of Sophos and according to what you're logging. If you share with us some of the logs of your `result.txt` file it would be easier to help you to create the required decoders or alerts.


What I would recommend you from there: if you want to be sure that your logs are reaching the manager, temporarily enable the "logall" parameter in the manager configuration so all the received logs will be stored in /var/ossec/logs/archvies/archives.log, if your logs appear there, they are being analyzed by Wazuh Manager. (Note: please remember to disable this option to avoid wasting disk space with duplicated logs.). Then, after making sure your logs are analyzed, try to pass one to ossec-logtest as described in our documentation to see if it matches with any decoder or rule. If not, you will need to write some custom rules and decoders, See https://documentation.wazuh.com/3.13/user-manual/ruleset/custom.html for a complete guide on how to do that. Also, I invite you to share with us some examples of your logs (anonymized) and your objectives, so we could make some example rules/decoders for you.


I hope this helps you to better understand what's going on.


Best regards,

Sayontani Bose

unread,
Aug 28, 2020, 1:09:55 AM8/28/20
to Wazuh mailing list
Hi

So there is sophos rules and sophos decoder  xml file is there in ossec. and still my ossec logtest is not working ( no output ) . what should i do ?

Best Regards

Francisco Navarro

unread,
Aug 28, 2020, 7:50:29 AM8/28/20
to Wazuh mailing list

Hello,

Could you share the output of your ossec-logtest as well as some examples of logs you're expecting to generate alerts?

Best regards.

Sayontani Bose

unread,
Sep 8, 2020, 12:45:00 AM9/8/20
to Wazuh mailing list
Hi

Thanks for your help and now its solved

Best Regards

Namdev Pawar

unread,
Sep 1, 2021, 4:37:54 AM9/1/21
to Wazuh mailing list
Hi Sayontani.bose

Can you share with me the steps of the configuration of Sophos firewall in wazuh. 

I'm new in wazuh and do not understand how to do that. Please help.

Emerson Silva

unread,
Jan 5, 2022, 8:47:20 PM1/5/22
to Wazuh mailing list
Hi team,
I had the same problem as above, I ran sophos SIEM integration, it downloaded the logs in the format below


{"source_info": {"ip": "192.168.0.157"}, "customer_id": "146025ff-7a64-4342-a05e-5ba6ec20ba91", "severity": "low", "endpoint_id": "f4cfd036-2878-45b7-b447-347166edf4c6", "endpoint_type": "computer", "name": "Periférico permitido: Intel(R) Wireless Bluetooth(R)", "id": "af91a6bd-c1ff-49bd-a1a9-eea3e4cd0d77", "type": "Event::Endpoint::Device::AlertedOnly", "group": "PERIPHERALS", "datastream": "event", "end": "2022-01-05T21:26:37.264Z", "duid": "5fdcfbca7dab530ddd473898", "rt": "2022-01-05T21:26:37.335Z", "dhost": "VVSPNB-0078", "suser": "VV\\beatrizgarcia"}

I put more details on Ticket below

Anyone can help-me?

Emerson Silva

unread,
Jan 10, 2022, 6:22:15 PM1/10/22
to Wazuh mailing list
I got it resolve the problem
For documentation

Screenshot from 2022-01-10 20-19-39.png
Reply all
Reply to author
Forward
0 new messages