Skip to content
Find out how we support MDR.


Log collector

Darktrace learns what normal activity looks like across OT, IT and industrial IoT, allowing it to detect signs of emerging cyber-threats.

You can integrate Darktrace with Sophos Central so that it sends alerts to Sophos.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Darktrace to send data to the log collector.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Darktrace.

    If you've already set up connections to Darktrace, you see them here.

  4. In Integrations, click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Darktrace. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.
  2. Enter Virtual appliance name and Virtual appliance description.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Darktrace to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It might take a few minutes for the OVA file to be ready.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Darktrace

You now configure Darktrace to send alerts to us, using syslog forwarding.

To configure alert forwarding, do as follows:

  1. In Darktrace, go to System Config > Alerting.
  2. Set Advanced Options to True.
  3. Set CEF Syslog Alerts to True.
  4. Use the Enter key to make extra fields appear. If that doesn't work, put your cursor in a field and use Enter again.
  5. In CEF Syslog Server, enter the IP address of your syslog server, and use the Enter key.
  6. In CEF Syslog Server Port, enter the Port for your listener, and use the Enter key again.
  7. Darktrace alerts depend on how events are scored. To maximize the alerts forwarded to Sophos, make sure Minimum Alert Priority and Score are both set to 1.

Darktrace alerts should appear in the Sophos Data Lake after validation.