Sophos XG data Connector

Tshepang5499 · ‎Apr 26 2023

Hello.

I'm trying with fail to connect the Sophos XG data connector to Sentinel. I have used the KQL parser and followed all steps to the on the documentation but still can seem to get it working. For more context I'm trying to proxy via Syslog on Azure.

Facility= daemon

TLS =Enabled

Clive_Watson · ‎Apr 26 2023

@Tshepang5499

Do you have an error, or just no data in the Syslog table?

Did you use the latest version in the [Content Hub]?

Is the connector Installed and Connected (green)?

Tshepang5499 · ‎Apr 26 2023

Hello @CliveWatson

I have no error. I tried to use the latest version on Content Hub and it keeps on taking me back to the connector on Data Connectors. Maybe you can help me with the KQL function. I changed the unique identifiers to point to the hostname(IP) and facility(daemon) and saved it .

Clive_Watson · ‎Apr 26 2023

Just to check there is data, if you just run a basic KQL query like the below, using the right IP, do you get anything?

Syslog
| where Computer in ("52.152.175.228") and Facility == "local0"
| extend Device = extract(@'device=\"(\S+)\"', 1, SyslogMessage),
Date = extract(@'date=(\S+)', 1, SyslogMessage),
Time = extract(@'time=(\S+)', 1, SyslogMessage)
| limit 10

I dont know this parser, but its asking for an IP address in a column that is normally a name - so maybe use the server name instead, as a test?

Tshepang5499 · ‎Apr 27 2023

I cannot seem to get any logs by running this querry above.

Clive_Watson · ‎Apr 27 2023

@Tshepang5499 In that case, working on the Parser wont help - its looking more like Sophos XG or more likely the Log Forwarder isn't sending the Syslog data to Sentinel yet.

Sophos XG data Connector

Sophos XG data Connector

Re: Sophos XG data Connector

Re: Sophos XG data Connector

Re: Sophos XG data Connector

Re: Sophos XG data Connector

Re: Sophos XG data Connector

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Sophos XG data Connector