UDLA - Sophos Endpoint Security and Control
Sophos Endpoint Security Control can be configured to store its event logs in a Microsoft SQL database.
Device Details
Vendor | Sophos |
Device Type | Endpoint Security and Control |
Supported Model Name/Number | Sophos Endpoint Security and Control |
Supported Software Version(s) | Sophos Endpoint Security and Control (Windows) 10.8.1 |
Collection Method | UDLA |
Configurable Log Output? | Yes |
Log Source Type | UDLA - Sophos Endpoint Security and Control |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | The .config files provide a method for customizing field labels in the log output. By default, this should be left unchanged. Supported is available with the default configuration. |
Prerequisites
Collection from a Microsoft SQL database requires:
- A Universal Database Log Adapter (UDLA) Log Source
- A LogRhythm Agent to collect the logs
- Access to the Microsoft SQL database that Sophos Endpoint Security Control uses for storing event logs
Identify the following prior to configuration:
- The IP address and hostname of the Microsoft SQL Database Server used by Sophos Endpoint Security Control.
- Account and password to be used by LogRhythm for accessing the Sophos Endpoint Security Control log data on the Microsoft SQL Database Server, if necessary.
- The LogRhythm System Monitor Agent that will be used to collect the logs from Sophos Endpoint Security Control.
For more information, see https://www.sophos.com/en-us/products/secure-web-gateway/tech-specs.aspx.
Configure Sophos Endpoint Security Control
An account that the LogRhythm agent can use to access the Microsoft SQL database must be available. We recommend using or creating an account that has read-only access into the tables required for collection.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The agent does not need to reside on the Sophos Endpoint Security Control but does need to be able to establish a network ODBC connection.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Sophos Endpoint Security and Control Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA – Sophos Endpoint Security Control. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, change the placeholder values to match your deployment.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.