Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 25314 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console and Syslog (and/or SIEM) server

Wagab

Hello all,

I have a question about SEC, log and syslog. I would like to send every log by syslog to a syslog server and/or SIEM. I've seen that :
/search?q= 8285

I would like to ask you somes questions :
1 - Do I understand ? This both modules could send (actually, almost Sophos Reporting Log Writer but it needs Sophos Reporting Interface if I understand) log to syslog server/SIEM ?

2 - If Yes, there is only this solution or there are others applications which could do that ? If No, how could I do to send every SEC log by syslog ?

3 - (the last :) ) Where are SEC logs ? The SEC application logs are in the Windows Event Viewer and logs about virus, client, rms etc ... are in database ? Or Could I fin them in text files ?

I hope I was clear.

Thank you in advance

Wagab

:42263


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    The Sophos Reporting Interface (SRI) is really a number of views and functions in the database you can query that should be maintained from version to version and occasiaonly exteneded to provide more data.

    http://www.sophos.com/en-us/support/documentation/reporting-interface.aspx?platform=Version-5-1#Version-5-1

    Prior to version 5 of Enterprise Console you had to install the interface into the "Core" database but now the SQL views and Functions are just created when you install the database component.

    The additional piece you can still install is the Sophos Log Writer.  This is a Windows service and config file that can be run local or remote to the database which calls the SQL functions and will dump the data to text files.  THe idea being that these files can be consumed by an application such as Splunk.

    http://www.sophos.com/en-us/support/documentation/reporting-log-writer.aspx#

    The logs of SEC, don't really provide much data beyond maybe the service starting, messages being sent, etc.,  If you want data on events, status, etc, you have to go to the database and for that, the SRI is the only supported interface.

    Hope this helps.

    Regards,

    Jak

    :42267
Reply
  • 0

    HI,

    The Sophos Reporting Interface (SRI) is really a number of views and functions in the database you can query that should be maintained from version to version and occasiaonly exteneded to provide more data.

    http://www.sophos.com/en-us/support/documentation/reporting-interface.aspx?platform=Version-5-1#Version-5-1

    Prior to version 5 of Enterprise Console you had to install the interface into the "Core" database but now the SQL views and Functions are just created when you install the database component.

    The additional piece you can still install is the Sophos Log Writer.  This is a Windows service and config file that can be run local or remote to the database which calls the SQL functions and will dump the data to text files.  THe idea being that these files can be consumed by an application such as Splunk.

    http://www.sophos.com/en-us/support/documentation/reporting-log-writer.aspx#

    The logs of SEC, don't really provide much data beyond maybe the service starting, messages being sent, etc.,  If you want data on events, status, etc, you have to go to the database and for that, the SRI is the only supported interface.

    Hope this helps.

    Regards,

    Jak

    :42267
Children
No Data