Sophos Web Security Appliance

The Sophos Web Security Appliance (WSA) DSM for IBM® QRadar® accepts events using syslog.

About this task

QRadar records all relevant events forwarded from the transaction log of the Sophos Web Security Appliance. Before configuring QRadar, you must configure your Sophos WSA appliance to forward syslog events.

To configure your Sophos Web Security Appliance to forward syslog events:


  1. Log in to your Sophos Web Security Appliance.
  2. From the menu, select Configuration > System > Alerts & Monitoring.
  3. Select the Syslog tab.
  4. Select the Enable syslog transfer of web traffic check box.
  5. In the Hostname/IP text box, type the IP address or host name of QRadar.
  6. In the Port text box, type 514.
  7. From the Protocol list, select a protocol. The options are:
    • TCP - The TCP protocol is supported with QRadar on port 514.
    • UDP - The UDP protocol is supported with QRadar on port 514.
    • TCP - Encrypted - TCP Encrypted is an unsupported protocol for QRadar.
  8. Click Apply.
    You can now configure the Sophos Web Security Appliance DSM in QRadar.
  9. QRadar automatically detects syslog data from a Sophos Web Security Appliance. To manually configure QRadar to receive events from Sophos Web Security Appliance: From the Log Source Type list, select Sophos Web Security Appliance.