This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source of Firewall Events - SEC 5.1

Hello,

We are using SEC 5.1 with Data protection suite. While we can see all the firewall evemnts from within the console we do not see the source machine for each event.

While looking around the sophos server i noticed a few SQL files and have looked througvh the SOPHOS51 database whcih seems to hold most of the information on events but nothnig to link them to a particular endpoint

Does anyone know of a way to accomplish what I am looking for?

Thanks,

M172

This thread was automatically locked due to age.

0 jak over 13 years ago

HI,

Do you just need to join tables together, e.g. for incoming alerts for a computer called 'ComputerA':

SELECT c.name, e.*, f.* from [SOPHOS51].[dbo].ComputersAndDeletedComputers as c
inner join [SOPHOS51].[dbo].[Events] as e on e.ComputerID = c.ID
inner join [SOPHOS51].[dbo].[Events_FirewallData] as f on e.ID = f.EventID
and f.Direction = 1 --incoming
and c.name = 'ComputerA'

Just select the columns you need.

The SRI (/search?q= 8285) has a view called: vEventsFirewallData, this would be the more supported way of accessing the data. Again in this instance you would want to join on the view vComputerHostData. E.g.

SELECT c.*, f.* from  [SOPHOS51].[Sophos Reporting Interface].[vComputerHostData] as c
inner join [SOPHOS51].[Sophos Reporting Interface].[vEventsFirewallData] 
as f on f.ComputerID = c.ComputerID
and f.DirectionText = 'Incoming'
and c.Name = 'ComputerA'

SEC 5.1 has the reporting interface installed by default so the views will exist.

Regards,

Jak