Tuesday, June 16, 2015

Sophos Sourcetype Added

Here are the configuration changes you'll need to make to add Sophos firewalls to the home | monitor > 4.0 .  Please note that the direction field does not exist, so some of the pfsense dashboards will not fully populate.

transforms.conf 

[sophos]
REGEX = sophos
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::sophos
DEST_KEY = MetaData:Sourcetype


props.conf

[sophos]
FIELDALIAS-srcip = srcip as src_ip
FIELDALIAS-srcport = srcport as src_port
FIELDALIAS-dstip = dstip as dest_ip
FIELDALIAS-dstport = dstport as dest_port
FIELDALIAS-dstmac = dstmac as dest_mac
FIELDALIAS-proto = proto as protocol
FIELDALIAS-fwrule = fwrule as firewall_rule

action_lookups.csv

drop, BLOCK
accept,ACCEPT

After you add these entries, make sure to restart your Splunk instance.  I'll update the default conf and csv files for a later release (4.0.2).


No comments:

Post a Comment