Sophos central integration with Wazuh

On November 22, 2023

This blog describes the integration of Sophos Central with Wazuh. The integration will enable organizations to gain greater visibility into their network security by centralizing and correlating security data from multiple sources. We will provide step-by-step instructions on how to integrate Sophos Central with Wazuh and showcase some of the use cases and dashboards available in the integrated solution.

What Is Sophos Central?

Sophos Central is a cloud-based management platform offered by Sophos, a leading provider of cybersecurity solutions. Sophos Central provides a unified console for managing a variety of Sophos security products, including endpoint protection, server protection, mobile security, email security, encryption, and web protection, among others.

With Sophos Central, IT administrators can deploy and manage multiple security products from a single dashboard, providing a comprehensive and coordinated approach to security management. The platform includes features such as asset management, policy configuration, threat analysis, and reporting, providing a complete overview of an organization’s security posture.

Sophos Central also integrates with third-party tools and services, allowing for greater customization and flexibility in security management. Overall, Sophos Central offers a streamlined and efficient way to manage security across an organization’s entire network, from endpoint to cloud.

Architecture of Sophos and Wazuh Integration

Sophos can be integrated with Wazuh, an open-source security monitoring platform, to provide a comprehensive security solution for an organization’s network. The integration architecture typically involves the following components:

Sophos Endpoint Protection: Sophos Endpoint Protection provides real-time protection against malware and other threats on endpoints such as laptops, desktops, and servers.

Wazuh Agent: The Wazuh Agent is installed on each endpoint to collect and forward security data to the Wazuh server. Wazuh Server: The Wazuh server receives and analyses security data from the Wazuh agents and other sources such as network devices and cloud services.

Integration Module: The integration module connects Sophos Endpoint Protection to the Wazuh server, allowing Sophos security events to be forwarded to the Wazuh server for analysis.

Wazuh (SIEM): The Wazuh server can forward security events to a SIEM platform such as Elastic Stack or Splunk for further analysis and correlation with other security data.

The integration between Sophos and Wazuh enables organizations to gain greater visibility into their network security by centralizing and correlating security data from multiple sources. This can help to improve threat detection and response times, as well as provide insights for security investigations and compliance reporting.

Integration Steps of Sophos and Wazuh

1.Install the Wazuh agent: Install the Wazuh agent on the endpoint where you have installed Sophos Endpoint Protection. You can follow the installation instructions for your operating system from the Wazuh documentation.

2.Configure Wazuh agent: After installing the Wazuh agent, you need to configure it to forward security data to the Wazuh server. You can modify the Wazuh agent configuration file /var/ossec/etc/ossec.conf to set up the agent to communicate with the Wazuh server.

3.Install the Sophos Integration Module: Download and install the Wazuh Sophos integration module from the Wazuh. The integration module is a script that parses Sophos Endpoint Protection log files and forwards them to the Wazuh server for analysis.

Image for reference:


4.Configure the Integration Module: After installing the integration module, you will need to modify its configuration file to specify the location of the Sophos log files and the Wazuh server IP address. The configuration file is located at /var/ossec/etc/ossec.conf on the Wazuh server.

5.Restart Wazuh server: Once the Wazuh agent and integration module are configured, you will need to restart the Wazuh services to apply the changes. You can restart the Wazuh services by running the command systemctl restart wazuh-manager on the Wazuh server.

6.Post integration: After completing the integration, you can verify that Sophos Endpoint Protection events are being forwarded to the Wazuh server by checking the Wazuh logs or the Wazuh user interface.

Use cases

Sophos Endpoint Protection provides comprehensive security for endpoints; including laptops, desktops, servers, and mobile devices. It includes features such as antivirus, web filtering, device control, application control, and endpoint detection and response (EDR).

Image for Sophos use case reference:



Integrating Sophos with Wazuh can enhance an organization’s security posture by combining the strengths of both platforms. The integration can help organizations detect and respond to threats more effectively and efficiently, thereby reducing the risk of a successful cyber-attack. The use cases and dashboards available in the integrated solution provide greater visibility into network security.