Configure Sophos Enterprise Console to send logs to Arctic Wolf

You can configure your Sophos Enterprise Console® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the Sophos Enterprise Console with administrator permissions

These actions are required:

  • If you use role-based administration:
    • Make sure that you have Policy setting - anti-virus and HIPS permissions.
    • You cannot edit a policy if it is applied outside your active Sub-Estate.

Enable syslog forwarding

  1. Sign in to the Sophos Enterprise Console as an administrator.
  2. Click the Policies tab.
  3. Double-click the anti-virus and host intrusion prevention system (HIPS) policy that you want to change.
  4. Click Messaging.
  5. Click the Event log tab.
  6. Select the Enable event logging option.

Install the Reporting Log Writer

  1. Go to the Sophos Enterprise Console downloads page.
  2. Download and install the Sophos Reporting Log Writer.
  3. Start the Log Writer service:
    1. Open Control Panel, and then double-click Administrative Tools.
    2. In the Administrative Tools window, double-click Services.

      The list of available services appears.

  4. Select Sophos Reporting Log Writer, and then click Start.

    Logs are copied to the local server event logs.

Install NXLog

  1. Install NXLog.
  2. Contact your Concierge Security® Team (CST) for custom configuration.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.