Before you begin, you’ll need:

  • Sophos Intercept X Endpoint installed
  • Access to the Sophos Central Cloud console
  • Filebeat 7 installed
  • Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs

Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.

The procedure involves using the Sophos API. Make sure that the config.ini used in the Sophos siem.py script is under format = json (this is the default setting).

Download the Logz.io public certificate to your Filebeat server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.

Copy and paste the code block below, overwriting the previous contents, to replace the general configuration with the following settings:

#... Filebeat
filebeat.inputs:
- type: log
  paths:
    - <<FILE_PATH>>
  fields:
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "type"
       to: "event_type"
    ignore_missing: true
- add_fields:
    target: ''
    fields:
      type: "sophos-ep"
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
- drop_event:
    when:
      regexp:
        message: "^\\s*$"
#... Output
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Change <<FILE_PATH>> to the output TXT file retrieved from the Sophos siem.py script.

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can search or filter for Sophos logs, under type:sophos-ep.

If you still don’t see your logs, see log shipping troubleshooting.

Contact support to request custom parsing assistance

The logs will require customized parsing so they can be effectively mapped in Kibana.

Email our support to request custom parsing assistance.