Skip to content
Find out how we support MDR.

ManageEngine ADAudit Plus

Log collector

Adds audit data regarding file permissions changes, sign-in activity and other security-related activities from ADAudit Plus.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure ADAudit Plus to send data to the log collector.

Add an integration

To integrate ADAudit Plus with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click ADAudit Plus.

    If you've already set up connections to ADAudit Plus, you see them here.

  3. Click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from ADAudit Plus. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure ADAudit Plus to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It may take a few minutes for the OVA file to be ready for download.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure ADAudit Plus

Now configure ADAudit Plus to send audit data to your log collector.

To do this, do as follows:

  1. In the main window, click on the Admin tab.
  2. Select SIEM Integration.
  3. Select Enable forwarding of ADAudit Plus Data.
  4. Choose ArcSight.
  5. Enter the the name of your VM in ArcSight/CEF Server name.
  6. Choose TCP as your preferred protocol.
  7. Enter the port number of your VM.
  8. Save the configuration and choose the categories to forward.

For more information, see SIEM Integration.