Sophos Central Beat Collection
Prerequisites
Before initializing the Sophos Central Beat, do the following:
- Make sure that the customer is an LRCloud customer and has their environment hosted.
- Check if the Open Collector has been installed in the customer's LRCloud environment on a separate instance. If not, an Open Collector instance must be requested via a support case.
- Ensure that the Open Collector log source has been accepted.
- Make sure that the API Token is generated to provide the configuration keys.
- Check if the required keys (such as API Key), Authorization, and the API Base URL are passed while configuring Sophos Central Beat.
Apply the Log Source Virtualization Template
- Log in to the Client Console in Cameyo.
- Click Deployment Manager from the toolbar.
- Click the Log Sources tab.
- Double-click the required Open Collector Log Source (such as, {instance}-opencollector.c.e3-hub-753dd405.internal Open Collector).
The Log Message Source Properties window appears. - Click the Log Source Virtualization tab.
- If not checked, select the Enable Virtualization check box.
- Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears. - In the Virtual Log Sources menu, check the Action check box corresponding to "Syslog - Open Collector - Sophos Central" and "Syslog - Open Collector - SophosCentralBeat Heartbeat" log source types.
- Click Save.
The Virtual Log Source(s) created prompt appears. - Click Ok.
- Click Apply.
- Click Ok.
The new Log Sources will appear in the grid as children of your parent log source. - Click the System Monitors tab.
- Select the Action check box corresponding to the (customerid)-dpawc agent.
- Right-click the selection, click Actions and then click Service Restart.
Initialize the Beat
- Log in to the Web Console as a Restricted Administrator User.
- On the top navigation bar, click the Administration icon and select Cloud Log Collection.
- At the top of the Cloud Log Collection page, click New Log Source.
The New cloud log collection dialog box appears. - Select the Sophoscentral - Open Collector tile.
The Add Sophoscentral Log Source window appears. Enter the following details:
Setting Description Name Enter the name for this log source. Description (Optional) Enter a description for this log source. API Key Enter the x-api-key value from the generated API token (for example, 0123456a7-ab12-ab12-12ab-ABCDE1234567)
Authorization Enter the Basic Authorization value from generated API token. The authorization value is the term "Basic", a space and a string 100 characters long
(for example, Basic 0123456a7ab12ab1212abABCDE1234567..)
API Access URL Enter the API Access URL from generated Token (for example, api5.central.sophos.com/gateway)
Depending on the URL used, https:// may need to be added at the beginning for the connection to work.
For example, https://api5.central.sophos.com/gateway.
APIBaseURL
Enter the API Base URL from generated token.
- Click Save.
- Log in to the Client Console in Cameyo.
- Click Deployment Manager from the toolbar.
- Click the System Monitors tab.
- Select the Action check box corresponding to the dpwac agent.
- Right-click the selection, click Actions and then click Service Restart.
A new log source is created with the provided information based on the virtualized log source that was already created. Collection should start automatically in few minutes.
The Open Collector hosts the log sources. It is recommended to create a new host entity and move the log source to the new host which is done in the log source properties screen and not from the log source grid.
For security, the values entered are encrypted using LRCrypt.
Default Config Values for Sophos Central Beat
Setting | Field Name | Default Value |
---|---|---|
1 | period | 7s |
2 | HeartbeatInterval | 1m0s |
3 | HeartbeatDisabled | false |