How to integrate Sophos Firewall with Splunk

1.The purpose of the article

The article will guide you to configure the Syslog server to save the log of Sophos Firewall on the SIEM Splunk Enterprise system.

2.Diagram

Details:

  • The internet connection is connected at port 2 of the Sophos Firewall device with IP 192.168.2.103.
  • The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP 10.145.41.1/24 and configured with a DHCP Server to allocate IPs to connected devices..
  • Finally, the server device with IP 10.145.41.11/24 is connected to port 1, on this server, Splunk Enterprise log collection, management and analysis software has been installed on this server.

3.Scenario

We will configure the Syslog server on the Sophos Firewall device so that the device sends its own log to the Splunk Enterprise software installed on the server.

4.Step to take

  • Configure Add Data Inputs on Splunk Enterprise.
  • Configure Syslog Server on Sophos Firewall.
  • Result.

5.Result

5.1.Configure Add Data Inputs on Splunk Enterprise

To configure it, you need to log in to the Splunk admin page.

Go to Settings > Data Inputs.

In Local Inputs, scroll down to the UDP section and click New.

In Add Data enter the following information:

  • select UDP.
  • Port: 514
  • Only accept connection from: Enter Sophos’ LAN port address as 10.145.41.1.
  • Click Next to continue.

At Input Settings enter and select the following information:

  • Select New.
  • Source Type: enter XG_log.
  • Source Type Category: choose Custom from the drop-down list.
  • Click Review.

Review the configuration and click Submit.

That’s it, we have completed the configuration on Splunk.

5.2.Configure Syslog Server on Sophos Firewall

To configure it, you need to log in to the Sophos Firewall admin page.

Go to System Services > Log Settings and click Add.

Configure Syslog Server for Splunk with the following information:

  • Name: splunk.
  • IP address /Domain*: Enter the IP of Splunk server as 10.145.41.11.
  • Port*: type 514.
  • Facility*: select DAEMON.
  • Security level*: Select Notification.
  • Format*: Select Device Standard Format.

After the configuration is complete, in the Log Settings there will be a column named Splunk that we just created, select the types of events you want to send to the Splunk server, and click Apply.

5.3.Result

To check access the Splunk admin page and go to Apps > Search & Reporting.

Click Data Summary.

The Data Summary table appears, clicking Hosts will display the IP of Sophos Firewall.

Click on this IP to view the log.

Log of Sophos Firewall will appear as shown below.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.