Tuesday, June 16, 2015

Sophos Sourcetype Added

Here are the configuration changes you'll need to make to add Sophos firewalls to the home | monitor > 4.0 .  Please note that the direction field does not exist, so some of the pfsense dashboards will not fully populate.


REGEX = sophos
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::sophos
DEST_KEY = MetaData:Sourcetype


FIELDALIAS-srcip = srcip as src_ip
FIELDALIAS-srcport = srcport as src_port
FIELDALIAS-dstip = dstip as dest_ip
FIELDALIAS-dstport = dstport as dest_port
FIELDALIAS-dstmac = dstmac as dest_mac
FIELDALIAS-proto = proto as protocol
FIELDALIAS-fwrule = fwrule as firewall_rule


drop, BLOCK

After you add these entries, make sure to restart your Splunk instance.  I'll update the default conf and csv files for a later release (4.0.2).

No comments:

Post a Comment