Sophos XG data connector not connected despite Syslog connector active

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

https://azure.microsoft.com/en-us/services/azure-sentinel/

MIT License

4.59k stars 3.01k forks source link

Sophos XG data connector not connected despite Syslog connector active #1008

Closed Ziy-sws closed 4 years ago

Ziy-sws commented 4 years ago

I am attempting to setup the Sophos XG data connector for Sentinel. I have successfully setup the syslog server where the firewall is sending its log information to. The firewall is sending Alerts and Information via the DAEMON facility to a syslog server in Azure. The Syslog server has the MMA agent installed correctly, and logs are being stored in the Azure Sentinel work space, showing logs from the firewall. The syslog data connector is active and green but the Sophos data connector is still not active.

For both connectors the correct facilities are being ticked under advanced settings. I am not sure what the problem is, any thoughts or tips?

Ziy-sws commented 4 years ago

Hi is there any feedback on this yet?

preetikr commented 4 years ago

@Ziy-sws - It seems you are getting the Sophos Firewall data in Azure Sentinel but the data connector is showing as not connected. The Sophos connector has a parser to ensure the data is parsed for easily leveraging in Azure Sentinel workbooks, and other features. Can you check if you have installed the Kusto Function for this data connector at https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/SophosXGFirewall/SophosXGFirewall.txt as the Sophos data connector documentation also mentions the same?

preetikr commented 4 years ago

Hi @Ziy-sws - Does it now show as connected after installing the Kusto Function mentioned? If yes, I'll go ahead and resolve/close this issue.

Ziy-sws commented 4 years ago

Hi, it showed connected after installing the function, thank you

ceritmustafa commented 4 years ago

Do we need which to write here the syslog server or the IP address of the Sophos FW device?

Which one should we write? IP or hostname? @preetikr

For example: | where Computer in **("server1, server2**") and Facility == "local0"

sakib3833 commented 3 years ago

Hi, it showed connected after installing the function, thank you

How did you install it? Is it just save as a function or other things to do. @Ziy-sws

v-rbajaj commented 1 year ago

@ceritmustafa Generally, it is the hostname. Check in log analytics what type of value is generating in computer attribute.

Wragbyuser commented 1 year ago

Do we need which to write here the syslog server or the IP address of the Sophos FW device?

Which one should we write? IP or hostname? @preetikr

For example: | where Computer in **("server1, server2**") and Facility == "local0"

can anyone help with this?