{ "name": "sophos", "title": "Sophos", "version": "3.17.1", "release": "ga", "description": "Collect logs from Sophos with Elastic Agent.", "type": "integration", "download": "/epr/sophos/sophos-3.17.1.zip", "path": "/package/sophos/3.17.1", "icons": [ { "src": "/img/logo.svg", "path": "/package/sophos/3.17.1/img/logo.svg", "title": "Sophos logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.11.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/integration-experience" }, "categories": [ "security", "network", "firewall_security" ], "signature_path": "/epr/sophos/sophos-3.17.1.zip.sig", "format_version": "3.0.3", "readme": "/package/sophos/3.17.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/sophos-utm-overview.png", "path": "/package/sophos/3.17.1/img/sophos-utm-overview.png", "title": "Sophos UTM - Overview", "size": "1847x950", "type": "image/png" }, { "src": "/img/sophos-utm-dhcp.png", "path": "/package/sophos/3.17.1/img/sophos-utm-dhcp.png", "title": "Sophos UTM - DHCP", "size": "1850x948", "type": "image/png" }, { "src": "/img/sophos-utm-http.png", "path": "/package/sophos/3.17.1/img/sophos-utm-http.png", "title": "Sophos UTM - HTTP", "size": "1850x948", "type": "image/png" }, { "src": "/img/sophos-utm-packetfilter.png", "path": "/package/sophos/3.17.1/img/sophos-utm-packetfilter.png", "title": "Sophos UTM - Packet Filter", "size": "1850x948", "type": "image/png" } ], "assets": [ "/package/sophos/3.17.1/LICENSE.txt", "/package/sophos/3.17.1/changelog.yml", "/package/sophos/3.17.1/manifest.yml", "/package/sophos/3.17.1/validation.yml", "/package/sophos/3.17.1/docs/README.md", "/package/sophos/3.17.1/img/logo.svg", "/package/sophos/3.17.1/img/sophos-utm-dhcp.png", "/package/sophos/3.17.1/img/sophos-utm-http.png", "/package/sophos/3.17.1/img/sophos-utm-overview.png", "/package/sophos/3.17.1/img/sophos-utm-packetfilter.png", "/package/sophos/3.17.1/img/sophos.svg", "/package/sophos/3.17.1/kibana/tags.yml", "/package/sophos/3.17.1/data_stream/utm/manifest.yml", "/package/sophos/3.17.1/data_stream/utm/sample_event.json", "/package/sophos/3.17.1/data_stream/xg/manifest.yml", "/package/sophos/3.17.1/data_stream/xg/sample_event.json", "/package/sophos/3.17.1/docs/knowledge_base/service_info.md", "/package/sophos/3.17.1/kibana/dashboard/sophos-13d06620-19af-11ee-982d-b1686976653f.json", "/package/sophos/3.17.1/kibana/dashboard/sophos-14b92300-19b0-11ee-982d-b1686976653f.json", "/package/sophos/3.17.1/kibana/dashboard/sophos-55522ef0-19ad-11ee-982d-b1686976653f.json", "/package/sophos/3.17.1/kibana/dashboard/sophos-60a2c260-19ad-11ee-982d-b1686976653f.json", "/package/sophos/3.17.1/kibana/search/sophos-fc02bd30-1a5e-11ee-86cf-13f340792f77.json", "/package/sophos/3.17.1/data_stream/utm/fields/agent.yml", "/package/sophos/3.17.1/data_stream/utm/fields/base-fields.yml", "/package/sophos/3.17.1/data_stream/utm/fields/ecs.yml", "/package/sophos/3.17.1/data_stream/utm/fields/fields.yml", "/package/sophos/3.17.1/data_stream/xg/fields/agent.yml", "/package/sophos/3.17.1/data_stream/xg/fields/base-fields.yml", "/package/sophos/3.17.1/data_stream/xg/fields/ecs.yml", "/package/sophos/3.17.1/data_stream/xg/fields/fields.yml", "/package/sophos/3.17.1/data_stream/utm/agent/stream/stream.yml.hbs", "/package/sophos/3.17.1/data_stream/utm/agent/stream/tcp.yml.hbs", "/package/sophos/3.17.1/data_stream/utm/agent/stream/udp.yml.hbs", "/package/sophos/3.17.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml", "/package/sophos/3.17.1/data_stream/utm/elasticsearch/ingest_pipeline/dhcp.yml", "/package/sophos/3.17.1/data_stream/utm/elasticsearch/ingest_pipeline/dns.yml", "/package/sophos/3.17.1/data_stream/utm/elasticsearch/ingest_pipeline/http.yml", "/package/sophos/3.17.1/data_stream/utm/elasticsearch/ingest_pipeline/packetfilter.yml", "/package/sophos/3.17.1/data_stream/xg/agent/stream/log.yml.hbs", "/package/sophos/3.17.1/data_stream/xg/agent/stream/tcp.yml.hbs", "/package/sophos/3.17.1/data_stream/xg/agent/stream/udp.yml.hbs", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml", "/package/sophos/3.17.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml" ], "policy_templates": [ { "name": "sophos", "title": "Sophos logs", "description": "Collect Sophos logs from syslog or a file.", "inputs": [ { "type": "udp", "title": "Collect logs from Sophos via UDP", "description": "Collecting syslog from Sophos via UDP" }, { "type": "tcp", "title": "Collect logs from Sophos via TCP", "description": "Collecting syslog from Sophos via TCP" }, { "type": "logfile", "title": "Collect logs from Sophos via file", "description": "Collecting syslog from Sophos via file." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "sophos.utm", "title": "Sophos UTM logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "udp", "vars": [ { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-utm", "forwarded" ] }, { "name": "udp_host", "type": "text", "title": "UDP host to listen on", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "udp_port", "type": "integer", "title": "UDP port to listen on", "multi": false, "required": true, "show_user": true, "default": 9549 }, { "name": "tz_offset", "type": "text", "title": "Timezone offset", "description": "By default, date times in the logs will be interpreted as UTC timezone. If the timezone of logs is different, use this field to set the timezone offset so that date times are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\") or an HH:mm differential (e.g. \"-05:00\").", "multi": false, "required": false, "show_user": true, "default": "UTC" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Sophos UTM logs", "description": "Collect Sophos UTM logs", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "tcp", "vars": [ { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-utm", "forwarded" ] }, { "name": "tcp_host", "type": "text", "title": "TCP host to listen on", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "tcp_port", "type": "integer", "title": "TCP port to listen on", "multi": false, "required": true, "show_user": true, "default": 9549 }, { "name": "tz_offset", "type": "text", "title": "Timezone offset", "description": "By default, date times in the logs will be interpreted as UTC timezone. If the timezone of logs is different, use this field to set the timezone offset so that date times are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\") or an HH:mm differential (e.g. \"-05:00\").", "multi": false, "required": false, "show_user": true, "default": "UTC" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Sophos UTM logs", "description": "Collect Sophos UTM logs", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/sophos-utm.log" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-utm", "forwarded" ] }, { "name": "tz_offset", "type": "text", "title": "Timezone offset", "description": "By default, date times in the logs will be interpreted as UTC timezone. If the timezone of logs is different, use this field to set the timezone offset so that date times are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\") or an HH:mm differential (e.g. \"-05:00\").", "multi": false, "required": false, "show_user": true, "default": "UTC" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "Sophos UTM logs", "description": "Collect Sophos UTM logs from file", "enabled": true, "ingestion_method": "File" } ], "package": "sophos", "path": "utm" }, { "type": "logs", "dataset": "sophos.xg", "title": "Sophos XG logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "tcp", "vars": [ { "name": "syslog_host", "type": "text", "title": "Syslog Host", "description": "The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "syslog_port", "type": "integer", "title": "Syslog Port", "description": "The port to listen on for syslog data.", "multi": false, "required": true, "show_user": true, "default": 9005 }, { "name": "default_host_name", "type": "text", "title": "Default Host Name", "description": "Host name / Observer name, since Sophos XG does not provide this in the syslog file.", "multi": false, "required": true, "show_user": true, "default": "firewall.localgroup.local" }, { "name": "known_devices", "type": "yaml", "title": "Known Devices", "description": "The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number.\nThis will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used.\n", "multi": false, "required": true, "show_user": true, "default": "- hostname: my_fancy_host\n serial_number: \"1234567890123456\"\n- hostname: some_other_host.local\n serial_number: \"1234567890123457\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-xg", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tz_offset", "type": "text", "title": "Timezone", "description": "IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone.", "multi": false, "required": true, "show_user": false, "default": "UTC" }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A combination of timezones as they appear in the Sophos XG log, in combination with a proper IANA Timezone format", "multi": false, "required": false, "show_user": false, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate: \"/etc/server/cert.pem\"\n#key: \"/etc/server/key.pem\"\n" }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details.", "multi": false, "required": false, "show_user": false, "default": "#max_connections: 1\n#framing: delimiter\n#line_delimiter: \"\\n\"\n" } ], "template_path": "tcp.yml.hbs", "title": "Sophos XG logs", "description": "Collect Sophos XG logs", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "syslog_host", "type": "text", "title": "Syslog Host", "description": "The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "syslog_port", "type": "integer", "title": "Syslog Port", "description": "The port to listen on for syslog data.", "multi": false, "required": true, "show_user": true, "default": 9005 }, { "name": "default_host_name", "type": "text", "title": "Default Host Name", "description": "Host name / Observer name, since Sophos XG does not provide this in the syslog file.", "multi": false, "required": true, "show_user": true, "default": "firewall.localgroup.local" }, { "name": "known_devices", "type": "yaml", "title": "Known Devices", "description": "The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number.\nThis will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used.\n", "multi": false, "required": true, "show_user": true, "default": "- hostname: my_fancy_host\n serial_number: \"1234567890123456\"\n- hostname: some_other_host.local\n serial_number: \"1234567890123457\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-xg", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tz_offset", "type": "text", "title": "Timezone", "description": "IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone.", "multi": false, "required": true, "show_user": false, "default": "UTC" }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A combination of timezones as they appear in the Sophos XG log, in combination with a proper IANA Timezone format", "multi": false, "required": false, "show_user": false, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n" }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#read_buffer: 100MiB\n#max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Sophos XG logs", "description": "Collect Sophos XG logs", "enabled": true, "ingestion_method": "Network Protocol" }, { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true }, { "name": "default_host_name", "type": "text", "title": "Default Host Name", "description": "Host name / Observer name, since Sophos XG does not provide this in the syslog file.", "multi": false, "required": true, "show_user": true, "default": "firewall.localgroup.local" }, { "name": "known_devices", "type": "yaml", "title": "Known Devices", "description": "The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number.\nThis will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used.\n", "multi": false, "required": true, "show_user": true, "default": "- hostname: my_fancy_host\n serial_number: \"1234567890123456\"\n- hostname: some_other_host.local\n serial_number: \"1234567890123457\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "sophos-xg", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tz_offset", "type": "text", "title": "Timezone", "description": "IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone.", "multi": false, "required": true, "show_user": false, "default": "UTC" }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A combination of timezones as they appear in the Sophos XG log, in combination with a proper IANA Timezone format", "multi": false, "required": false, "show_user": false, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Sophos XG logs", "description": "Collect Sophos XG logs", "enabled": true, "ingestion_method": "File" } ], "package": "sophos", "path": "xg" } ] }