WinterIsCommin
commented
3 years ago Everything worked fine after second attempt of deployment, the only issue i faced with is with "No section: 'login'" when running using Cronbjob and sending the output to a txt file, the fixed worked for me is : Siem.py file,
app_path = os.path.join(os.getcwd())
change to
app_path = os.path.join(os.path.abspath(os.path.dirname(file)))
DO not forget to add SOPHOS_SIEM_HOME to the ENV vars
I transfered the files from github to our Qradar Collector server, I confgured config.ini with required parameters and attempted to use it with Syslog. I verifyed that the server is listening on port 514 and started Tcpdump to watch if there is any traffic generated, Once i run siem.py it pulled the logs from Sophos Central and saved it to result.txt in the /log directory but I did not managed to view the traffic comming thourgth port 514..
Config.ini File:
[login] $ API Access URL + Headers $ API token setup steps: https://community.sophos.com/kb/en-us/125169 token_info = url: https://api5.central.sophos.com/gateway, x-api-key: AAAAAAAAAAAAAAAAAAAAAAAA, Authorization: Basic MGE5YTY1Y2ItZWAAAAAAAAAAAAAAAAAAAAAAAAAAA0N1BJVzVTRkZIWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARvVGZhMU1zWVFxUEU=
$ format can be json, cef or keyvalue format = json
$ filename can be syslog, stdout, any custom filename filename = syslog
$ endpoint can be event, alert or all endpoint = event
$ syslog properties $ for remote address use:, for e.g. 192.1.2.3:514
$ for linux local systems use /dev/log
$ for MAC OSX use /var/run/syslog
address = x.x.x.x:514
facility = daemon
socktype = udp
** Additional Issue i faced with is when attempting to create a cron job it seems to run but no new logs are saved to logs/result.txt file for some reason.
Please help.
$ = #