Before you begin, you’ll need:
- Sophos Intercept X Endpoint installed
- Access to the Sophos Central Cloud console
- Filebeat 7 installed
- Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs
Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.
The procedure involves using the Sophos API. Make sure that the
config.ini used in the Sophos siem.py script is under
format = json (this is the default setting).
Download the Logz.io public certificate to your Filebeat server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.
Copy and paste the code block below, overwriting the previous contents, to replace the general configuration with the following settings:
#... Filebeat filebeat.inputs: - type: log paths: - <<FILE_PATH>> fields: token: <<LOG-SHIPPING-TOKEN>> fields_under_root: true json.keys_under_root: true encoding: utf-8 ignore_older: 3h #For version 7 and higher filebeat.registry.path: /var/lib/filebeat #The following processors are to ensure compatibility with version 7 processors: - rename: fields: - from: "type" to: "event_type" ignore_missing: true - add_fields: target: '' fields: type: "sophos-ep" - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true - drop_event: when: regexp: message: "^\\s*$" #... Output output: logstash: hosts: ["<<LISTENER-HOST>>"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
<<LISTENER-HOST>> with the host for your region. For example,
listener.logz.io if your account is hosted on AWS US East, or
listener-nl.logz.io if hosted on Azure West Europe.
<<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
<<FILE_PATH>> to the output TXT file retrieved from the Sophos siem.py script.
One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.
Start or restart Filebeat for the changes to take effect.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana. You can search or filter for Sophos logs, under
If you still don’t see your logs, see log shipping troubleshooting.
Contact support to request custom parsing assistance
The logs will require customized parsing so they can be effectively mapped in Kibana.
Email our support to request custom parsing assistance.