Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ADAuditPlus

ManageEngine ADAudit Plus

Log collector

You can integrate ADAudit Plus with Sophos Central so that it sends data about security-related activity to Sophos.

This integration uses a log collector hosted on a virtual machine (VM). Together they are called a data collector. The data collector receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple instances of ADAudit Plus to the same data collector.

To do this, set up your ADAudit Plus integration in Sophos Central, then configure one ADAudit Plus instance to send logs to it. Then configure your other ADAudit Plus instances to send logs to the same Sophos data collector.

You don't have to repeat the Sophos Central part of the setup.

The key steps to add an integration are as follows:

  • Add an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your data collector.
  • Configure ADAudit Plus to send data to the data collector.

Requirements

Data collectors have system and network access requirements. To check that you meet them, see Data collector requirements.

Add an integration

To integrate ADAudit Plus with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.

  2. Click ADAudit Plus.

    If you've already set up connections to ADAudit Plus, you see them here.

  3. Click Add.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration setup steps you configure your VM to receive data from ADAudit Plus. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.

  2. Enter a name and description for the data collector.

    If you've already set up a data collector integration you can choose it from a list.

  3. Select the virtual platform. Currently we only support VMware ESXi 6.7 or later, and Microsoft Hyper-V.

    You must join the EAP to use Hyper-V.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure ADAudit Plus to send data to your data collector.

  6. Select a Protocol.

    You must use the same protocol when you configure ADAudit Plus to send data to your data collector.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the data collector. You'll need this later when you configure ADAudit Plus to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure ADAudit Plus

Now configure ADAudit Plus to send audit data to your data collector.

To do this, do as follows:

  1. In the main window, click on the Admin tab.
  2. Select SIEM Integration.
  3. Select Enable forwarding of ADAudit Plus Data.
  4. Choose ArcSight.
  5. Enter the the name of your data collector in ArcSight/CEF Server name.
  6. Choose TCP as your preferred protocol.

  7. Enter the port number of your data collector.

    You must enter the same port and protocol settings you entered in Sophos Central when you added the integration.

  8. Save the configuration and choose the categories to forward.

For more information, see SIEM Integration.