IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Sophos central console Integration With QRadar

    Posted Wed February 17, 2021 07:27 AM
    Hi Team,

    I have followed below sophos documentation to get Sophos logs through API via Python script and able to receive logs in the linux machine but logs are not forwarding to IBM Qradar.In the script i mentioned EC IP  to forward logs to IBM Qradar but logs are not forwading. Can you please help me how to forward those  logs to EC.

    https://support.sophos.com/support/s/article/KB-000036372?language=en_US&name=KB-000036372

    ------------------------------
    Abhishek Kakkireni
    ------------------------------


  • 2.  RE: Sophos central console Integration With QRadar

    Posted Thu February 18, 2021 03:07 AM
    Maybe you forgot

    filename = syslog

    In config.ini like I did before :)

    Laszlo

    ------------------------------
    Vladx(x)
    ------------------------------

    Original Message


  • 3.  RE: Sophos central console Integration With QRadar

    Posted Thu November 09, 2023 09:50 AM

    Hi, I would like to know if changing  filename=syslog has successfully sent logs to Qradar. 



    ------------------------------
    Aysha Jaleel
    ------------------------------

    Original Message


  • 4.  RE: Sophos central console Integration With QRadar

    Posted Fri November 10, 2023 12:17 AM

    I run the script successfuly without any script error, the only problem I have is that My SIEM is not receiving any logs from the server. below are specific confugrations I have on the script.

    filename='syslog', 

    format='json',

    address='192.168.1.30:514',  (Qradar AIO IP)

    socktype='udp'



    ------------------------------
    Amado Amar
    ------------------------------

    Original Message


  • 5.  RE: Sophos central console Integration With QRadar

    Posted Fri November 10, 2023 12:43 AM

    Hi,  

    I am using a windows server as a mid server, so does the configuration remain the same as given in : https://support.sophos.com/support/s/article/KB-000036372?language=en_US

    Initially the config file had:

    filename = result.txt and the logs were getting written in the file, but logs not being sent to qradar

    I have made changes to filename = syslog now, but still no luck.

    Regards,

    Aysha



    ------------------------------
    Aysha Jaleel
    ------------------------------

    Original Message


  • 6.  RE: Sophos central console Integration With QRadar

    Posted Wed November 15, 2023 12:51 AM
    Edited by Cyber Post Wed November 15, 2023 01:02 AM

    You don't need a intermediary server to get the logs. You can sent it directly to console by using Client ID and Client Secret as per this --> https://support.sophos.com/support/s/article/KB-000036372?language=en_US&name=KB-000036372

    You need to copy the third-party script to somewhere in console ex: /store/SophosTest/Sophos-Central-SIEM-Integration from here https://github.com/sophos/Sophos-Central-SIEM-Integration

    Then Edit config.ini and change the Client ID and client secret from Sophos Central API Token Management 

    SIEM.png

    Follow the Sophos guide I mentioned above.

    and check if logs are coming under SIM Generic and log source identifier Probably would be 127.0.0.1

    https://github.com/sophos/Sophos-Central-SIEM-Integration#readme


    Original Message