Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
At the top left, click Add.
Enter a Policy Name.
In Compiled Normalizers, select the required compiled normalizer(s).
In Normalization Packages, select the required normalization package(s).
Click Submit.
Adding a Normalization Policy¶
Go to Settings >> Configuration from the navigation bar and click Devices.
At the top left, click Add.
Enter a device Name.
Enter the IP address(es) of the Sophos server.
Select the Device Groups.
Select an appropriate Log Collection Policy for the logs.
Select a collector or a forwarder in the Distributed Collector drop-down menu.
Note
It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.
Select a Time Zone.
Note
The timezone of the device must be same as its log source.
Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.
Click Submit.
Creating Sophos as a Device¶
Go to Settings >> Configuration from the navigation bar and click Devices.
Search for the previously added device.
Click the Add icon from Actions.
Click Syslog Collector on AVAILABLE COLLECTORS FETCHERS.
Select the Syslog Collector.
Configuring the Syslog Collector¶
Select the Processing Policy which contains the normalization policy you added previously.
Select the Charset.
In PROXY SERVER, select None.
Click Submit.
Available Collectors and Fetchers¶