This document explains how to collect Sophos Central logs by using Bindplane. The parser transforms JSON logs into a unified data model (UDM). It extracts fields from nested JSON structures, maps them to UDM fields, and performs event categorization based on the type field, enriching the data with specific details and actions for different Sophos Central event types.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
Ensure that you have an additional Windows or Linux machine, capable of continuously running Python.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have privileged access to Sophos XG Firewall.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the
system where Bindplane will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:SYSLOGnamespace:sophos_centralraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Determined based on the type field and additional logic within the parser. Possible values include: FILE_OPEN, SCAN_HOST, SETTING_MODIFICATION, STATUS_HEARTBEAT, SETTING_CREATION, NETWORK_CONNECTION, SCAN_PROCESS, SCAN_UNCATEGORIZED, USER_CREATION, USER_UNCATEGORIZED, STATUS_UPDATE.
metadata.log_type
Set to SOPHOS_CENTRAL.
metadata.product_event_type
Directly mapped from the type field.
metadata.product_name
Set to Sophos Central.
metadata.vendor_name
Set to Sophos.
network.direction
Set to OUTBOUND for specific type values indicating outbound network connections.
network.ip_protocol
Set to TCP for specific type values indicating TCP network connections.
security_result.action
Determined based on the action field extracted from the name field using grok patterns. Possible values include: ALLOW, BLOCK, ALLOW_WITH_MODIFICATION, UNKNOWN_ACTION.
security_result.detection_fields.key
Set to duid when the duid field is present.
security_result.rule_name
Extracted from the name field using grok patterns for specific type values.
security_result.severity
Mapped from the severity field with the following mapping: low -> LOW, medium -> MEDIUM, high/critical -> HIGH.
target.application
Extracted from the name field using grok patterns for specific type values.
target.asset.hostname
Mapped from the dhost field for specific type values.
target.file.full_path
Extracted from the name field using grok patterns for specific type values, or directly mapped from data.core_remedy_items.items.0.descriptor or core_remedy_items.items.0.descriptor.
target.file.size
Extracted from the name field using grok patterns and converted to uinteger for specific type values.
target.hostname
Mapped from the dhost field for specific type values.
target.resource.name
Set to specific values based on the type field, or extracted from the name field using grok patterns.
target.resource.type
Set to specific values based on the type field.
target.user.userid
Mapped from the suser field after extracting the username using grok patterns.
target.url
Extracted from the name field using grok patterns for specific type values.
source_info.ip
principal.ip principal.asset.ip
Directly mapped from the source_info.ip field.
suser
principal.user.userid target.user.userid
Extracted from the suser field using grok patterns to remove hostname prefixes.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide outlines how to collect Sophos Central logs and send them to Google Security Operations (SecOps) using the Bindplane agent, transforming JSON logs into the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe Bindplane agent is configured to receive Syslog data, which is then exported to Google SecOps, requiring the user to set up a configuration file with their customer ID and authentication credentials.\u003c/p\u003e\n"],["\u003cp\u003eTo facilitate log collection, a separate Python script needs to be downloaded, configured with Sophos Central API access details, and set up to run continuously, either using Windows Task Scheduler or macOS Cron Jobs.\u003c/p\u003e\n"],["\u003cp\u003eThe collected Sophos Central logs are mapped to UDM fields, extracting nested JSON structures and categorizing events, enriching them with event-specific details, actions, and data extracted through grok patterns.\u003c/p\u003e\n"],["\u003cp\u003eThe guide includes instructions for installing the Bindplane agent on both Windows and Linux, as well as comprehensive instructions for configuring and automating the log collection script.\u003c/p\u003e\n"]]],[],null,["# Collect Sophos Central logs\n===========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect Sophos Central logs by using Bindplane. The parser transforms JSON logs into a unified data model (UDM). It extracts fields from nested JSON structures, maps them to UDM fields, and performs event categorization based on the **type** field, enriching the data with specific details and actions for different Sophos Central event types.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- Ensure that you have an additional Windows or Linux machine, capable of continuously running Python.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to Sophos XG Firewall.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: SYSLOG\n namespace: sophos_central\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/sophos-central#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Sophos Central API access\n-----------------------------------\n\n1. Sign in to **Sophos Central Admin**.\n2. Select **Global Settings \\\u003e API Token Management**.\n3. Click **Add Token** to create a new token.\n4. Enter a token name and click **Save** . The **API Token Summary** for the provided token is displayed.\n5. In the **API Token Summary** section, click **Copy** to copy the API access URL and headers.\n\nInstall Python on the additional machine\n----------------------------------------\n\n1. Open the web browser and go to the [Python website](https://www.python.org).\n2. Click **Download Python** for your operating system (Windows or Mac).\n3. Install Python.\n\n - On Windows:\n 1. Run the installer.\n 2. Check the box that says **Add Python to PATH**.\n 3. Click **Install Now**.\n - On Mac:\n\n 1. Python may already be installed, if not you can install the latest version using the terminal.\n 2. Open **Terminal** and type the following command:\n\n python --version\n\nDownload the Sophos integration script\n--------------------------------------\n\n1. Go to the GitHub page for [Sophos Central SIEM Integration GitHub Repository](https://github.com/sophos/Sophos-Central-SIEM-Integration).\n2. Click the green **Code button \\\u003e Download ZIP**.\n3. Extract the ZIP file.\n\nSet up the script configuration\n-------------------------------\n\n1. **Find** and **Open** the `config.ini` file with a text editor.\n2. Edit the configuration file:\n - **API Token**: enter the API Key copied earlier from Sophos Central.\n - **Syslog Server Details**: enter the details of your syslog server.\n - **Host**: enter the Bindplane IP address.\n - **Port**: enter the Bindplane port number.\n - Protocol: enter UDP (you can also use **TCP** or **TLS** depending on your setup).\n3. **Save** the file.\n\nRun the script\n--------------\n\n1. Go to the script folder.\n\n - On Windows:\n\n 1. Press the **Windows** key and type `cmd`.\n 2. Click **Command Prompt**.\n 3. Go to the script folder:\n\n cd C:\\Users\\YourName\\Downloads\\Sophos-Central-SIEM-Integration\n\n - On macOS:\n\n 1. Go to **Applications \\\u003e Utilities**.\n 2. Open **Terminal**.\n 3. Go to the script folder:\n\n cd /Users/YourName/Downloads/Sophos-Central-SIEM-Integration\n\n2. **Run the script:**\n\n - Type the following command to start the script:\n\n python siem.py\n\n| **Note:** The script will start fetching logs from Sophos Central and forwarding them to your syslog server in JSON format.\n\nAutomate the script to run continuously on Windows (using Task Scheduler):\n--------------------------------------------------------------------------\n\n1. Open the Task Scheduler by typing **Task Scheduler** in the Start menu.\n2. Click **Create Task**.\n3. In the **General** tab:\n - Name your task; for example, `Sophos Central Log Export`.\n4. In the **Triggers** tab:\n - Click **New** and set the task to run **Daily** or **At startup** (depending on your preference).\n5. In the **Actions** tab:\n - Click **New** and select **Start a program**.\n - Browse for the `python.exe` executable (usually found at `C:\\PythonXX\\python.exe`).\n - In the **Add arguments** field, type the path to the script; for example, `C:\\Users\\YourName\\Downloads\\Sophos-Central-SIEM-Integration\\siem.py`.\n6. Click **OK** to save the task.\n\nAutomate the script to run continuously on Mac (using Cron Jobs):\n-----------------------------------------------------------------\n\n1. Open the Terminal.\n2. Type `crontab -e` and press **Enter**.\n3. Add a new line at the end of the file:\n\n * * * * * /usr/bin/python /Users/YourName/Downloads/Sophos-Central-SIEM-Integration/siem.py\n\n | **Note:** This will run the script **every minute**. Adjust the time based on your needs.\n4. **Save** and exit the editor.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
