Unable to get Sophos XG filebeat module working

[cyb3rz3us]

General

SO version: 2.3.110
Platform: VM within ESX 6.5
vCPU: 8
RAM: 32GB
HDD: system = 500GB; nsm = 1TB
RAID status: not implemented
Installed using: SO ISO

Description

After making the required changes (based on SO and Elastic docs), I do not see the module loaded in the Docker container and therefore, do not see any Sophos XG logs ingested into SO.

Config change

/opt/so/saltstack/local/pillar/minions/tyr_standalone.sls

filebeat:
  third_party_filebeat:
    modules:
      sophos:
        xg:
          enabled: true
          var.default_host_name: [ OMITTED ]
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9514
firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          log_sources:
            portgroups:
              - portgroups.beats_custom
      INPUT:
        hostgroups:
          log_sources:
            portgroups:
              - portgroups.beats_custom

Firewall changes

• Log source is 192.168.5.13
• Logs are sent to UDP 9514

[220413_071700+0000 2586] > sudo so-firewall includedhosts syslog
192.168.5.11
192.168.5.13
192.168.5.254

[220413_072825+0000 2591] > sudo so-firewall listportgroups
beats_custom
syslog_cust

[220413_073623+0000 2592] > sudo so-firewall listports beats_custom udp
9514

After executing the sudo so-filebeat-restart command, I do see the above Sophos XG config within the /opt/so/conf/filebeat/modules/thirdparty.yml file:

- module: sophos
  xg:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9514
    var.default_host_name: [ OMITTED ]

However, when executing the filebeat module list command within the so-filebeat container, I do not see the Sophos module. However, I do see thirdparty listed and because I'm not sure if Sophos should also be listed, this may be a normal result to this command:

[220413_070159+0000 4686] > sudo docker exec -it so-filebeat bash

root@so-filebeat:/usr/share/filebeat# filebeat modules list
Enabled:
securityonion
thirdparty

Disabled:

Finally, I did enable DEBUG logging but I do not see even a single instance of the word sophos mentioned in any logfile in the /opt/so/log/filebeat/ directory.

[cyb3rz3us]

Update # 1

After explicitly adding the log source to the DOCKER-USER iptables chain, the logs starting coming in. They do not appear to be parsed properly but regardless, at least the logs are getting into ES. Next up is chasing down why the iptables are not updating properly + the parsing issues.

[01amigo01]

Any solution to this prob? Facing the same issue...

[brunbrun2]

@cyb3rz3us
what do you mean by "adding the log source to the DOCKER-USER iptables chain", Gacing the same issue and I think my problem is here.
Thx

[tomjones1977]

Have you enabled the sophos pipeline in the logstash container?

sudo docker exec -i so-filebeat filebeat setup modules -pipelines -modules sophos -c /usr/share/filebeat/module-setup.yml

[3isenHeiM]

It's not in the filebeat documentation, how to know this ? Is there a way to check if this is done by default when setting up the filebeat module ?

[brunbrun2]

Is your problem solve?
I'm facing the same issue.
after configure the minions and open firewall port, got:

Exiting: module sophos is configured but has no enabled filesets

after apply this command
sudo docker exec -i so-filebeat filebeat setup modules -pipelines -modules sophos -c /usr/share/filebeat/module-setup.yml

THX

[dougburks]

@brunbrun2 Looks like your issue is resolved via #9202.