USM Anywhere™

Sophos Web Security

When you configure Sophos Web Security integration to send log data to USM Anywhere, you can use the Sophos Web Security plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Sophos
Device type Web security device
Connection type syslog
Vendor link

Sophos Web Security Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To configure Sophos Web Security to forward log data to USM Anywhere sensor

  1. Log in to your Sophos Web Security appliance.
  2. From the menu, select Configuration > System > Alerts & Monitoring.
  3. Select the Syslog tab.
  4. Select Enable syslog transfer of web traffic.
  5. In the Hostname/IP field, enter the IP address or host name of the USM Anywhere sensor.
  6. In the Port text box, type 514.
  7. From the Protocol list, select UDP protocol.
  8. Click Apply.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • bytes_in

  • bytes_out

  • content_category

  • destination_address

  • event_name

  • event_severity

  • plugin_device

  • request_content_type

  • request_method

  • request_url

  • request_user_agent

  • response_code

  • source_address

  • source_username


For troubleshooting, refer to the vendor documentation: