IBM QRadar

HI,

Does anyone added sophos central admin as a log source in qradar. I did it using API and selecting "Log File" as a protocol. But events are not getting categorised.

If anyone has done it in past please let me know.

Hi,

if you mean the sophos enterprise console, then follow the instructions from the dsm guide. All supported devices and how they can be connected are listed here.

https://www.ibm.com/docs/en/dsm?topic=sophos-enterprise-console

Regards,

Ralph

Hey,

No its not Enterprise console. It is Sophos Central Admin.

https://www.sophos.com/en-us/products/sophos-central.aspx?cmp=47609&utm_source=GoogleSearch&utm_campaign=MG_India_GoogleSearch&utm_medium=cpc&utm_term=%2Bsophos%20%2Bcentral&utm_content=SM104037&gclid=EAIaIQobChMI5au4tOLL8gIV1IdLBR3N8g6NEAAYASABEgJB9PD_BwE

Per the Sophos FAQ, Central Admin is replacing the Enterprise Console product. The configuration for Sophos Enterprise Console uses JDBC. Our documentation only states JDBC to collect these logs, so the parsers are expecting a specific protocol (JDBC) format to map the events.

You probably need to get a Request for Enhancement opened to get this integration reviewed by Development. New protocols that change drastically like a migration from Sophos Enterprise to Sophos Central Admin. For this time being, since you are using an Undocumented protocol you'll need to map these events manually in the DSM Editor.

What to do:

1. Open an RFE for this issue: ibm.biz/integrationrfe
2. Ensure you make your RFE public.
3. Add your business use case (unmapped events) and describe the severity of the issue so our Offering/Dev team understands the urgency of your request.
4. If you add your RFE link here, I can help promote it to other users.

Not sure if this helps, but this should be the process to raise awareness of this change to development.

Support Member:)

how did you add this via API?