Forum Discussion
Sophos XG data Connector
Hello. I'm trying with fail to connect the Sophos XG data connector to Sentinel. I have used the KQL parser and followed all steps to the on the documentation but still can seem to get it workin...
Hello CliveWatson
I have no error. I tried to use the latest version on Content Hub and it keeps on taking me back to the connector on Data Connectors. Maybe you can help me with the KQL function. I changed the unique identifiers to point to the hostname(IP) and facility(daemon) and saved it .
I have no error. I tried to use the latest version on Content Hub and it keeps on taking me back to the connector on Data Connectors. Maybe you can help me with the KQL function. I changed the unique identifiers to point to the hostname(IP) and facility(daemon) and saved it .
Just to check there is data, if you just run a basic KQL query like the below, using the right IP, do you get anything?
Syslog
| where Computer in ("52.152.175.228") and Facility == "local0"
| extend Device = extract(@'device=\"(\S+)\"', 1, SyslogMessage),
Date = extract(@'date=(\S+)', 1, SyslogMessage),
Time = extract(@'time=(\S+)', 1, SyslogMessage)
| limit 10
I dont know this parser, but its asking for an IP address in a column that is normally a name - so maybe use the server name instead, as a test?
Syslog
| where Computer in ("52.152.175.228") and Facility == "local0"
| extend Device = extract(@'device=\"(\S+)\"', 1, SyslogMessage),
Date = extract(@'date=(\S+)', 1, SyslogMessage),
Time = extract(@'time=(\S+)', 1, SyslogMessage)
| limit 10
I dont know this parser, but its asking for an IP address in a column that is normally a name - so maybe use the server name instead, as a test?
- I cannot seem to get any logs by running this querry above.
Tshepang5499 In that case, working on the Parser wont help - its looking more like Sophos XG or more likely the Log Forwarder isn't sending the Syslog data to Sentinel yet.