Documentation Center
AlienVault® USM Anywhere™

Sophos Web Security

When you configure Sophos Web Security integration to send log data to USM Anywhere, you can use the Sophos Web Security plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Sophos
Device type Web security device
Connection type syslog
Vendor link http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/
t_DSM_guide_Sophos_WSA_syslog.html

Sophos Web Security Integration

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Sophos Web Security to forward log data to USM Anywhere sensor

  1. Log into your Sophos Web Security appliance.
  2. From the menu, select Configuration > System > Alerts & Monitoring.
  3. Select the Syslog tab.
  4. Select Enable syslog transfer of web traffic.
  5. In the Hostname/IP field, enter the IP address or host name of the USM Anywhere sensor.
  6. In the Port text box, type 514.
  7. From the Protocol list, select UDP protocol.
  8. Click Apply.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • bytes_in

  • bytes_out

  • content_category

  • destination_address

  • event_name

  • event_severity

  • plugin_device

  • request_content_type

  • request_method

  • request_url

  • request_user_agent

  • response_code

  • source_address

  • source_username

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://community.sophos.com/kb/en-us/122936