Sophos XG data Connector

Question

Hello.&nbsp;I'm trying with fail to connect the Sophos XG data connector to Sentinel. I have used the KQL parser and followed all steps to the on the documentation but still can seem&nbsp; to get it working. For more context I'm trying to proxy via Syslog on Azure.&nbsp;Facility= daemonTLS =Enabled

clive_watson · Answer

Tshepang5499&nbsp;&nbsp;Do you have an error, or just no data in the Syslog table?Did you use the latest version in the [Content Hub]?&nbsp;Is the connector Installed and Connected (green)?

tshepang5499 · Answer

Hello CliveWatsonI have no error. I tried to use the latest version on Content Hub and it keeps on taking me back to the connector on Data Connectors. Maybe you can help me with the KQL function. I changed the unique identifiers to point to the hostname(IP) and facility(daemon) and saved it .

clive_watson · Answer

Just to check there is data, if you just run a basic KQL query like the below, using the right IP, do you get anything?

Syslog
| where Computer in ("52.152.175.228") and Facility == "local0"
| extend Device = extract(@'device=\"(\S+)\"', 1, SyslogMessage),
Date = extract(@'date=(\S+)', 1, SyslogMessage),
Time = extract(@'time=(\S+)', 1, SyslogMessage)
| limit 10

I dont know this parser, but its asking for an IP address in a column that is normally a name - so maybe use the server name instead, as a test?

tshepang5499 · Answer

I cannot seem to get any logs by running this querry above.

clive_watson · Answer

Tshepang5499&nbsp;In that case, working on the Parser wont help - its looking more like Sophos XG or more likely the Log Forwarder isn't sending the Syslog data to Sentinel yet.

Forum Discussion

Sophos XG data Connector

Share

Resources