Splunk Sophos

Posted on  by



To configure the inputs for the Splunk Add-on for Sophos, enable the desired stanzas in a local copy of inputs.conf on the forwarder installed on the Sophos Enterprise Console server.

Sophos Endpoint Security application logs

  1. Sophos is not alone in recording a surge of channel engagement, particularly since the start of the pandemic, with Splunk also sharing details of its increased partner activity. The firm is holding.
  2. Sophos Cloud Optix provides integration with existing business systems such as Jira, Slack, Teams, Splunk and others. If your system isn't on the list, you can use the webhooks feature to design your own integration.
  3. Splunk provides an easy way to collect MS Sys Internal data from Windows endpoints in real-time at scale. From the SysMon data, we will select events with event code equal 1 that represent process starts.

The add-on collects system logs of Sophos Endpoint Security, stored in Windows event logs, using the Splunk Add-on for Windows.

03:10 AM It looks like Sophos' approach to SIEM integration when using Sophos Central (their cloud management offering) is to provide a python script that calls their API and writes new events to a json/cef/kv file, to be ingested by your logging solution of choice. Has anyone ingested this into Splunk?

There is nothing to configure in this add-on for these logs.

Sophos Endpoint Security patch logs

The add-on collects Sophos Endpoint Security patching logs using the Splunk Add-on for Windows.

To enable Sophos patch status monitoring, copy the first stanza in %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the [WinEventLog://Sophos Patch] stanza by changing disabled = 1 to disabled = 0.

Sophos Endpoint Console server logs

The add-on collects Sophos Endpoint Console server logs through monitor inputs.

Copy the all the monitor stanzas from %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the desired stanzas by changing disabled = 1 to disabled = 0. In each stanza, replace <SEC_LOG_PATH> with the path of the log files on the Sophos Enterprise Console.

Sophos Endpoint Console Syslog Logs

You can configure these logs to push via syslog over the network using Sophos Report Interface or by monitoring the SEC server log as with the server logs above. If you are monitoring the log files directly, set the source type to sophos:sec.

If you are pushing data via syslog, create an inputs.conf stanza in your syslog collector for these source types:

  • sophos:utm:firewall
  • sophos:utm:ips
  • sophos:utm:ipsec

For example, your stanza for sophos:utm:firewall might look like this. Download free sims gameswireever.

If you are monitoring the log files directly, set the source type to sophos:sec.

Note: When collecting syslog, a best practice is to use a 3rd party aggregator (e.g. rsyslog or syslog-ng) for improved fault tolerance and scalability.

If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.

According to this week’s advisory, from 1 January 2020 (00:00 UTC) unpatched instances of Splunk will be unable to extract and recognise timestamps submitted to it in a two-digit date format.

In effect, it will understand the ‘year’ up to 31 December 2019, but as soon as this rolls over to 1 January 2020, it will mark it as invalid, either defaulting back to a 2019 date or adding its own incorrect “misinterpreted date”.

In addition, beginning on 13 September 2020 at 12:26:39 PM UTC, unpatched Splunk instances will no longer be able to recognise timestamps for events with dates based on Unix time (which began at 00:00 UTC on 1 January 1970).

Left unpatched, the effect on customers could be far-reaching.

What platforms like Splunk do is one of the internet’s best-kept secrets – turning screeds of machine-generated log data (from applications, websites, sensors, Internet of Things devices, etc) into something humans can make sense of.

There was probably a time when sysadmins could do this job but there are now so many devices spewing so much data that automated systems have become a must.

This big data must also be stored somewhere, hence the arrival of cloud platforms designed to do the whole job, including generating alerts when something’s going awry or simply to analyse how well everything’s humming along.

Bad timing

As with any computing system, however, Splunk depends on events having accurate time and date stamps. Without that, it has no way of ordering events, or of dealing meaningfully with the world in real time.

According to Splunk, in addition to inaccurate event timestamping this could result in:

Splunk SophosSplunk
  • Incorrect rollover of data buckets due to the incorrect timestamping
  • Incorrect retention of data overall
  • Incorrect search results due to data ingested with incorrect timestamps
  • Incorrect timestamping of incoming data
Splunk

It gets worse:

There is no method to correct the timestamps after the Splunk platform has ingested the data. If you ingest data with an un-patched Splunk platform instance, you must patch the instance and re-ingest the data for timestamps to be correct.

In short, there’s no quick way to back out of a problem which will only grow with every passing hour, day and week that it’s allowed to continue.

The problem lies with a file called datetime.xml used by Splunk to extract incoming timestamps using regular expression syntax. It sees this and assumes two-date years up to and including 19, but not 20 onwards.

What to do

Leaving aside Splunk cloud customers who should receive the update automatically, there are three ways to patch the bug for all operating systems, the company said.

  • Download an updated version of datetime.xml and apply it to each of your Splunk platform instances
  • Make manual modifications to existing datetime.xml on your Splunk platform instances
  • Upgrade Splunk platform instances to a version with an updated version of datetime.xml
Sophos splunk integration

The complication is that applying the new file, or editing it manually, requires customers to stop and restart Splunk, a disruptive process when applied to more than one Splunk instance. Editing the datetime.xml should also be done with great care.

Although reminiscent of the famous Millennium Y2K bug predicted to affect computer systems on 1 January 2000, this class of bugs has popped up on other occasions since then.

A recent example is the GPS date issue that hit older satellite navigation systems earlier this year.

Sophos Splunk Integration

A variation on the same date/GPS problem affected Apple iPhone 5 and iPhone 4s in October, which meant that owners had to update their devices by 3 November 2019 or suffer app synchronisation problems.