Sophos UTM is an all-in-one appliance from Sophos that can provide multiple log types.
Before You Begin
Like other Firewall and VPN parsers, you can direct all the logs from the Sophos UTM into a single event source port on the collector and all the logs are parsed from the same stream.
Using a single port is usually easy to configure, but more difficult to manage in InsightIDR during troubleshooting if there is only one event source for all of the firewalls.
- Same Port: If you configure all the firewalls to send log data to the same port, such as UDP port 10000, then you have one event source in InsightIDR for all of the firewalls.
- Different Ports: If you configure each firewall to send to a different, unique port, there will be separate event sources for each firewall.
- For example: Firewall1 sends on UDP port 10001 while Firewall2 sends on UDP port 10002
After you decide how to send the different data streams, you must configure Sophos UTM to send syslog. Read about how to do so here: https://community.sophos.com/kb/en-us/123292.
How to Configure This Event Source in InsightIDR
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Attribution source options
Sophos UTM product logs can contain information about hosts and accounts. When setting up Sophos UTM as an event source, you will have the ability to specify the following attribution options:
- Use IDR engine if possible; if not, use event log
By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.
- Use event log if possible; if not, use IDR engine
By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.
- Use IDR engine only
By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.
- Use event log only
By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.