Before you begin, you’ll need:

  • Sophos Intercept X Endpoint installed
  • Access to the Sophos Central Cloud console
  • Filebeat 7 installed
  • Terminal access to the instance running Filebeat. It is recommended to run the Sophos API script from the same instance running your Filebeat.
Configure Sophos to collect the Central Cloud logs

Follow the official instructions provided by Sophos for collecting Sophos Central Cloud logs from all machines.

The procedure involves using the Sophos API. Make sure that the config.ini used in the Sophos script is under format = json (this is the default setting).

Download the public certificate to your credentials server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.

Copy and paste the code block below, overwriting the previous contents, to replace the general configuration with the following settings:

#... Filebeat
- type: log
    - <<FILE_PATH>>
    token: <<LOG-SHIPPING-TOKEN>>
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
- rename:
     - from: "type"
       to: "event_type"
    ignore_missing: true
- add_fields:
    target: ''
      type: "sophos-ep"
- rename:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
- drop_event:
        message: "^\\s*$"
#... Output
    hosts: ["<<LISTENER-HOST>>"]
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Change <<FILE_PATH>> to the output TXT file retrieved from the Sophos script.

One last validation - make sure is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can search or filter for Sophos logs, under type:sophos-ep.

If you still don’t see your logs, see log shipping troubleshooting.

Contact support to request custom parsing assistance

The logs will require customized parsing so they can be effectively mapped in Kibana.

Email our support to request custom parsing assistance.