Breadcrumbs

Initialize the Sophos Central Beat

This guide outlines the steps required to initialize the Sophos Central Beat using the Open Collector.

Prerequisites

  • The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

  • The ClientID and ClientSecret keys obtained from the Sophos web console during the steps outlined in Configure Sophos Central.

  • The following port is open:

    Direction

    Port

    Protocol

    Source

    Outbound

    443

    HTTPS

    sophoscentralbeat

The steps outlined in this guide describe the Sophos Central Beat setup process using a Client ID and Client Secret, which are needed to configure Sophos Central Beats for version 7.0.0 and later. If you are currently using Sophos Central Beat version 6.0.3 or earlier, upgrade to Sophos Central Beat version 7.0.0 (or later), along with LRCTL version 6.6.0 (or later).

When upgrading to Sophos Central Beat version 7.0.0 or later, ensure all existing instances are closed before launching a new one. Note that versions 7.0.0 and above are not backward compatible with the 6.x.x series.

Similarly, these steps were updated for LogRhythm SIEM version 7.21. Creating a Sophos Beat instance in the Web Console on a version prior to 7.21 will cause the beat to function incorrectly.

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. To confirm the Open Collector is running, run the following command:

    ./lrctl status

    You should see the open_collector and metrics versions.

    If the Open Collector is not running correctly, see

    Troubleshoot the Open Collector

    in the Open Collector Installation and User Guide.

  2. In the Open Collector, run the following command:

    ./lrctl sophoscentralbeat start

  3. Select New sophoscentralbeat instance and provide a unique name.

  4. Enter the following details:

    The ClientID and ClientSecret configuration fields are saved in encrypted format.

    1. Enter the ClientID for the Sophos Central beat.

    2. Then enter the ClientSecret for the Sophos Central beat.

  5. Save the configuration.
    The Sophos Central Beat service starts successfully.

  6. To check the status of the service, run the following command:

    ./lrctl sophoscentralbeat status

Default Config Values for Sophos Central Beat

S. No.

Field Name

Default Value

1.

period

7s

2.

HeartbeatInterval

1m0s 

3.

HeartbeatDisabled

false

4.

ClientID

User Provided

5.

ClientSecret

User Provided