Collect Sophos Central logs
This document explains how to collect Sophos Central logs by using Bindplane. The parser transforms JSON logs into a unified data model (UDM). It extracts fields from nested JSON structures, maps them to UDM fields, and performs event categorization based on the type field, enriching the data with specific details and actions for different Sophos Central event types.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- You are using Windows 2016 or later, or a Linux host with systemd.
- You have an additional Windows or Linux machine, capable of continuously running Python.
- If running behind a proxy, make sure firewall ports are open per the Bindplane agent requirements.
- Privileged access to the Sophos Central Admin console.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL [ https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ]( https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) )" install_unix.sh
Additional installation resources
For additional installation options, consult this installation guide .
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
-
Access the Configuration File:
- Locate the
config.yamlfile. Typically, it's in the/opt/observiq-otel-collector/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded in Step 1 creds_file_path : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id : '<customer_id>' endpoint : malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization log_type : 'SOPHOS_CENTRAL' raw_log_field : body ingestion_labels : service : pipelines : logs/source0__chronicle_w_labels-0 : receivers : - udplog exporters : - chronicle/chronicle_w_labels -
Replace the port and IP address as required in your infrastructure.
-
Replace
<customer_id>with the actual Customer ID. -
Update
/path/to/ingestion-authentication-file.jsonto the file path where the authentication file was saved in Step 1.
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
/opt/observiq-otel-collector/config.yaml -
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Sophos Central API access
- Sign in to Sophos Central Admin.
- Select Global Settings > API Token Management.
- Click Add Tokento create a new token.
- Enter a token name and click Save. The API Token Summaryfor the provided token is displayed.
- In the API Token Summarysection, click Copyto copy the API access URL and headers.
Install Python on the additional machine
- Open the web browser and go to the Python website .
- Click Download Pythonfor your operating system (Windows or Mac).
-
Install Python:
- On Windows:
- Run the installer.
- Check the box that says Add Python to PATH.
- Click Install Now.
- On Mac:
- Python may already be installed; if not, you can install the latest version using the terminal.
- Open Terminaland type the following command to verify:
python --version - On Windows:
Download the Sophos integration script
- Go to the GitHub page for the Sophos Central SIEM Integration Repository .
- Click the green Code button > Download ZIP.
- Extract the ZIP file.
Set up the script configuration
- Find and open the
config.inifile with a text editor. - Edit the configuration file:
- API Token:Enter the API Key copied earlier from Sophos Central.
- Syslog Server Details:Enter the details of your syslog server.
- Host:Enter the Bindplane IP address.
- Port:Enter the Bindplane port number.
- Protocol:Enter UDP(you can also use TCPor TLSdepending on your setup).
- Savethe file.
Run the script
- Go to the script folder.
- On Windows:
- Press the Windowskey and type
cmd. - Click Command Prompt.
- Navigate to the folder:
cmd cd C:\Users\YourName\Downloads\Sophos-Central-SIEM-Integration
- Press the Windowskey and type
- On macOS:
- Go to Applications > Utilities.
- Open Terminal.
- Navigate to the folder:
bash cd /Users/YourName/Downloads/Sophos-Central-SIEM-Integration
- On Windows:
-
Run the script:
- Type the following command to start the script:
python siem.py
Automate the script to run continuously
On Windows (using Task Scheduler)
- Open the Task Schedulerby typing "Task Scheduler" in the Start menu.
- Click Create Task.
- In the Generaltab:
- Name your task (e.g.,
Sophos Central Log Export).
- Name your task (e.g.,
- In the Triggerstab:
- Click Newand set the task to run Dailyor At startup.
- In the Actionstab:
- Click Newand select Start a program.
- Browse for the
python.exeexecutable (usually found atC:\PythonXX\python.exe). - In the Add argumentsfield, type the path to the script (e.g.,
C:\Users\YourName\Downloads\Sophos-Central-SIEM-Integration\siem.py).
- Click OKto save the task.
On Mac (using Cron Jobs)
- Open the Terminal.
- Type
crontab -eand press Enter. -
Add a new line at the end of the file:
* * * * * /usr/bin/python /Users/YourName/Downloads/Sophos-Central-SIEM-Integration/siem.py -
Saveand exit the editor.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
created_at_label
|
additional.fields
|
Merged |
datastream_label
|
additional.fields
|
Merged |
security_result.description
|
metadata.description
|
Renamed/mapped |
end
|
metadata.event_timestamp
|
Parsed as RFC 3339
|
when
|
metadata.event_timestamp
|
Parsed as RFC 3339
|
has_principal
|
metadata.event_type
|
Mapped: true
→ FILE_OPEN
, true
→ NETWORK_CONNECTION
, true
→ SCAN_UNCATEGORIZED
|
type
|
metadata.event_type
|
Mapped values (14 total, e.g. Event::Endpoint::DataLossPreventionAutomaticallyAllowed
→ `F... |
type
|
metadata.product_event_type
|
Directly mapped |
type
|
network.direction
|
Mapped: Event::Endpoint::WebControlViolation
→ OUTBOUND
, `Event::Endpoint::WindowsFirewa... |
type
|
network.ip_protocol
|
Mapped: Event::Endpoint::WebControlViolation
→ TCP
|
dhost
|
principal.asset.hostname
|
Directly mapped |
location
|
principal.asset.hostname
|
Directly mapped |
data.source_info.ip
|
principal.asset.ip
|
Merged |
source_info.ip
|
principal.asset.ip
|
Merged |
dhost
|
principal.hostname
|
Directly mapped |
location
|
principal.hostname
|
Directly mapped |
data.source_info.ip
|
principal.ip
|
Merged |
source_info.ip
|
principal.ip
|
Merged |
type
|
principal.user.attribute.labels
|
Mapped: Event::Endpoint::DataLossPreventionAutomaticallyAllowed
→ username_label
|
username_label
|
principal.user.attribute.labels
|
Merged |
Username
|
principal.user.user_display_name
|
Directly mapped |
source
|
principal.user.user_display_name
|
Directly mapped |
source
|
principal.user.userid
|
Directly mapped |
suser
|
principal.user.userid
|
Directly mapped |
user_id
|
principal.user.userid
|
Directly mapped |
endpoint_type_label
|
security_result.about.labels
|
Merged |
sec_action
|
security_result.action
|
Merged |
type
|
security_result.action
|
Mapped: Event::Endpoint::DataLossPreventionAutomaticallyAllowed
→ sec_action
, `Event::En... |
group
|
security_result.category_details
|
Merged |
name
|
security_result.description
|
Directly mapped |
type
|
security_result.description
|
Mapped: Event::Endpoint::(UpdateRebootRequired/ServiceNotRunning/NonCompliant/OutOfDate)
→... |
duid_label
|
security_result.detection_fields
|
Merged |
id_label
|
security_result.detection_fields
|
Merged |
rule
|
security_result.rule_name
|
Directly mapped |
rules
|
security_result.rule_name
|
Directly mapped |
severity
|
security_result.severity
|
Mapped: low
→ LOW
, medium
→ MEDIUM
, high
→ HIGH
|
security_result.description
|
security_result.summary
|
Renamed/mapped |
app
|
target.application
|
Directly mapped |
application
|
target.application
|
Directly mapped |
dhost
|
target.asset.hostname
|
Directly mapped |
endpoint_id
|
target.asset_id
|
Directly mapped |
f_path
|
target.file.full_path
|
Directly mapped |
f_size
|
target.file.size
|
Renamed/mapped |
dhost
|
target.hostname
|
Directly mapped |
application
|
target.process.file.full_path
|
Directly mapped |
core_remedy_items.items.0.descriptor
|
target.process.file.full_path
|
Directly mapped |
data.core_remedy_items.items.0.descriptor
|
target.process.file.full_path
|
Directly mapped |
file_path_1
|
target.process.file.full_path
|
Directly mapped |
customer_id
|
target.resource.id
|
Directly mapped |
p_device
|
target.resource.name
|
Directly mapped |
scan_name
|
target.resource.name
|
Directly mapped |
type
|
target.resource.name
|
Mapped: Event::Endpoint::SavDisabled
→ Real time protection
, `Event::Endpoint::Registere... |
type
|
target.resource.type
|
Mapped values (5 total, e.g. Event::Endpoint::SavDisabled
→ SETTING
, `Event::Endpoint::R... |
url
|
target.url
|
Directly mapped |
principal.user.userid
|
target.user.userid
|
Directly mapped |
suser
|
target.user.userid
|
Directly mapped |
|
N/A
|
metadata.event_type
|
Constant: GENERIC_EVENT
|
|
N/A
|
metadata.product_name
|
Constant: Sophos Central
|
|
N/A
|
metadata.vendor_name
|
Constant: Sophos
|
|
N/A
|
network.direction
|
Constant: OUTBOUND
|
|
N/A
|
network.ip_protocol
|
Constant: TCP
|
|
N/A
|
security_result.description
|
Constant: security_result.summary
|
|
N/A
|
security_result.severity
|
Constant: LOW
|
|
N/A
|
target.resource.name
|
Constant: Real time protection
|
|
N/A
|
target.resource.type
|
Constant: SETTING
|
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.

