Configuring Sophos Firewall to forward events
Take the following steps to configure your Sophos Firewall:
- Go to System services > Log settings and click Add.
- Specify the settings.
- Name: give a name to the device as “Sophos_firewall @ device_ip”
- IP: Give <Google Chronicle Forwarder IP>
- Secure Log Transmission: “Enable” the check box
- Port: Select port “11682”
- Facility: Select “Local 6”
- Severity Level: Select “Informational”
- Format: select “Device Standard Format”
3. Click Save
4. Repeat the process for each device that needs to be onboarded to chronicle.
5. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression, or with a specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.