Sophos Central Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.
The Sophos Central input supports collecting Sophos events and alerts from the Sophos Central SIEM Integration API.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  • To retrieve logs from the Sophos SIEM Integration API, this input requires Sophos API authentication credentials. Follow the official Sophos API Credentials Management documentation for setup instructions. When configuring the credentials, select Service Principal Read-Only to grant the necessary access to SIEM Integration logs.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Consumer Key

  • Consumer Secret

Input Type

This input is a pull input type. See Inputs to learn about input types.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

 

Provide a unique name for your new input.

Sophos Client ID

Enter the Client ID provided during the Sophos API Credential setup.

Sophos Client Secret

Enter the Client Secret provided during the Sophos API Credential setup.

Ingest Alerts (Checkbox)

This input automatically ingests Sophos Events. Select this checkbox to also ingest Sophos alerts. See Sophos documentation for additional details.

Polling Interval

Determines how often Graylog will check for new data in Salesforce. The smallest allowable interval is 5 minute.
Enable Throttling

If enabled, no new messages will be read from this input until Graylog catches up with its message load. This is typically useful for inputs reading from files or message queue systems like AMQP or Kafka. If you regularly poll an external system, e.g. via HTTP, you normally want to leave this disabled.

Hint: The Sophos SIEM Integration API retains log data for only 24 hours. Avoid stopping the input for extended periods to prevent gaps in log collection.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: