ทำการปรับค่า config.ini เพื่อให้ส่ง log ไปยัง siem
#less config.ini
[login]
# API Access URL + Headers
# API token setup steps:
https://community.sophos.com/kb/en-us/125169#token_info = <Copy API Access URL + Headers block from Sophos Central here>
token_info = url:
https://api1.central.sophos.com/gateway, x-api-key: JqQ6_your_token
# format can be json, cef or keyvalue เรียกใช้งานเป็น format =cef (Common log format)
#format = json
format = cef
# filename can be syslog, stdout, any custom filename
filename = sophos.json.log
# endpoint can be event, alert or all
#endpoint = event
endpoint = all
# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
#address = /var/run/syslog
address = 127.0.0.1:514
facility = daemon
socktype = udp
แล้วทำการเพิ่มใน crontab ดังนี้
# Sophos automatic reading
*/2 * * * * cd /opt/Sophos-Central-SIEM-Integration-master/ && /usr/bin/python siem.py
