Sophos Sourcetype Added
Here are the configuration changes you'll need to make to add Sophos firewalls to the home | monitor > 4.0 . Please note that the direction field does not exist, so some of the pfsense dashboards will not fully populate.
transforms.conf
[sophos]
REGEX = sophos
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::sophos
DEST_KEY = MetaData:Sourcetype
props.conf
[sophos]
FIELDALIAS-srcip = srcip as src_ip
FIELDALIAS-srcport = srcport as src_port
FIELDALIAS-dstip = dstip as dest_ip
FIELDALIAS-dstport = dstport as dest_port
FIELDALIAS-dstmac = dstmac as dest_mac
FIELDALIAS-proto = proto as protocol
FIELDALIAS-fwrule = fwrule as firewall_rule
action_lookups.csv
drop, BLOCK
accept,ACCEPT
After you add these entries, make sure to restart your Splunk instance. I'll update the default conf and csv files for a later release (4.0.2).
action_lookups.csv
drop, BLOCK
accept,ACCEPT
After you add these entries, make sure to restart your Splunk instance. I'll update the default conf and csv files for a later release (4.0.2).
Comments
Post a Comment
Please do not post ads or spam to this comment section.