Skip to main content
Skip table of contents

UDLA - Sophos Anti-Virus

Sophos Anti-Virus stores its event logs in a Microsoft SQL database. This database is typically included on the Sophos Anti-Virus server.


Identify the following prior to configuration:

  • The IP Address and/or hostname of the Microsoft SQL database server from which logs will be collected.
  • The database login credentials of the user account the LogRhythm Agent should use to connect to the database.
  • The LogRhythm Agent to be used for collecting the audit data from the Microsoft SQL database.

Configure Sophos Anti-Virus

An account that the LogRhythm agent will need to access the Microsoft SQL database must be made available. This can be the default “sa” account, an account created with administrator access to be used for LogRhythm, or domain credentials.

Configure the ODBC Driver for Sophos Anti-Virus

Sophos Anti-Virus logs are accessed by LogRhythm via an ODBC driver. Before configuring the UDLA log source in LogRhythm, the recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.

  • Name. SQL Server
  • Company Name. Microsoft Corporation
  • Version. 2000.85.1132.00
  • Date. 4/13/2008
  • Download Location. pre-installed

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. A LogRhythm System Monitor Agent is used to collect Sophos Anti-Virus logs. The Agent does not need to reside on the Sophos Anti-Virus server, but it does need to be able to establish a network ODBC connection.

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

Before you begin, download the Sophos Antivirus XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.

The name of the log message source is UDLA – Sophos Anti-Virus. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the UDLA Settings tab, enter the following:
    • Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.

      In the Connection String box, ensure that you change the placeholder values to those matching your deployment.

    • If you want to validate the current settings, click Test.
      If the test fails, verify the connection settings and that all values were entered correctly.
    • When the test passes, close the Test dialog box.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.