Skip to content

Installer command-line options for Linux

The Sophos Protection for Linux (SPL) installer allows you to use command-line options and environment variables to modify the installation.


Environment variables go before the installer command and command-line options go after it. See Linux examples.


Before you install SPL, you must download from Sophos Central and make the file executable. See Download and run the Linux Server installer.

Your Linux devices must be able to communicate with Sophos Central Admin during installation and while the Server Protection agent is running. See Domains and ports to allow.

Environment variables

You can use environment variables to customize your environment during installation.


You must enter environment variables before running the installer. See Linux examples.


Sets a different temporary directory for the installer to use during the installation process. You can use this while running when /tmp on a device isn't mounted as executable.

TMPDIR=<path to directory>


This environment variable only sets the path to a temporary directory for the installer. It doesn't change the installation directory. See Installation directory.

Debug thin installer

Run in debug mode for troubleshooting. Use this when Sophos Support asks for logs. 1 is on, and 0 is off.


To collect the output in a log file, you must redirect the output to a file or set OVERRIDE_INSTALLER_CLEANUP to 1. See Linux examples.


For help resolving installation errors, see Troubleshooting Sophos Protection for Linux.

Override installer cleanup

Prevents the installer from deleting /tmp/SophosCentralInstall_<uuid> after installation. You can use the installation logs in this directory for troubleshooting. 1 is on, and 0 is off.


Basic Linux command-line options


You enter command-line options after the command.


Shows the help text.



Shows the version of



Forces the installation even if the installer detected that Sophos products are already on the device. You can use this command to attempt to fix a broken installation.



Adds the device to a specific group in Sophos Central. You can also use this option to add the device to a subgroup.

  • --group=<Central group>
  • --group=<Central group>\<Central subgroup>

Trailing arguments

The group or subgroup to join. If it doesn't exist, the installer creates it.

Uninstall Sophos Anti-Virus for Linux

Stops the SAV service and uninstalls Sophos Anti-Virus for Linux. You can use this before installing Sophos Protection for Linux.

Sophos Protection for Linux installation isn't compatible with Sophos Anti-Virus for Linux. You must uninstall Sophos Anti-Virus for Linux before you install Sophos Protection for Linux.



Runs the pre-installation checks and prints the results. Doesn't install SPL.



You can get more details by running the installer in debug mode. See Debug thin installer.

No test

Installs SPL without running any pre-installation checks. You can use this when the pre-installation checks prevent the installer from running in an environment that meets the system requirements.


Advanced Linux command-line options

The Server Protection for Linux installer supports advanced command-line options. You can use these to customize your installation.


Specifies a list of products to install. If you specify a product you don't have a license for, it isn't installed.

--products=<comma-separated list of products>

Trailing arguments

A list of products to install, separated by commas.

Available options are antivirus, mdr, and xdr.

Installation directory

By default, SPL installs to /opt/sophos-spl/. This command creates /sophos-spl/ in the specified directory and installs SPL to that location.

--install-dir=<path to installation directory>

Trailing arguments

The path where you want the installer to create the /sophos-spl directory.


If the /sophos-spl directory already exists in that location or SPL is installed in another location on the Linux device, the installation will fail.

User ID

Sets the User IDs (UID) for the Sophos user accounts created during installation.


Trailing arguments

Comma-separated list of user IDs you want to configure in the following format:

<user1>:<uid1>,<user2>:<uid2>,<user3>:<uid3>, and so on.


This command only affects the Sophos user accounts, sophos-spl-av, sophos-spl-local, sophos-spl-threat-detector, sophos-spl-updatescheduler, and sophos-spl-user. The command ignores all other user accounts.

Group ID

Sets the group ID (GID) for the Sophos groups created during installation.

--group-ids-to-configure=<group name>:<gid>

Trailing arguments

Comma-separated list of GIDs you want to assign in the following format:



This command only affects the Sophos groups, sophos-spl-group and sophos-spl-ipc. The command ignores all other groups.

Linux examples

Uninstall Sophos Anti-Virus for Linux and install Sophos Protection for Linux:

sudo ./ --uninstall-sav

Install into a subgroup:

sudo ./ --group=LinuxServers\MailServers

Set the temporary directory to /sophostmp and install SPL into the /serverprotection/sophos-spl/ directory:

sudo TMPDIR=/sophostmp ./ --install-dir=/serverprotection

Run the pre-installation checks and print the output without installing SPL:

sudo ./ --test

Turn off installer cleanup, turn debug mode on, run the installer using the verbose shell option, combine stderr and stdout into the stdout stream, and write the output to install.log:

sudo OVERRIDE_INSTALLER_CLEANUP=1 DEBUG_THIN_INSTALLER=1 bash -x ./ 2>&1 | tee install.log

Message relays and update caches includes a list of all relays and caches configured in Sophos Central.

During installation, the Linux device compares the IP addresses of all the message relay and update cache servers to the device's IP address and orders them according to how closely they match. For example, if the Linux device is, and the message relays are and, the device will contact first because it's numerically closer. The installer uses the closest cache to install Sophos Protection for Linux and the closest relay to communicate with Sophos Central. If the Linux device can't reach any cache or relay, it contacts Sophos Central directly.

You can override this behavior using the --message-relays and --update-caches commands. These commands change the behavior during installation and force the installer to use the message relays and update caches you specify. After installation, the agent will leverage the closest message relay and update cache for communications.

You can also manually assign a Linux device to a message relay or update cache in Central. See Assign computers to a cache/relay.

Message relay

You can use this command to override the installer's built-in list of message relays.

--message-relays={none | <ipaddress:port>...}

Here's an example:



The default port for message relays is 8190.

Trailing arguments

Comma-separated list of message relay IP addresses, including the port, in the following format:


Use none if you want the Linux device to contact Sophos Central directly.

Update cache

You can use this command to override the installer's built-in list of update caches.

--update-caches={none | <ipaddress:port>...}

Here's an example:



The default port for update caches is 8191.

Trailing arguments

Comma-separated list of update cache IP addresses, including the port, in the following format:


Use none if you want the Linux device to contact Sophos Central directly.

Sophos Protection for Linux and auditd

By default, we turn off auditd. This means that you can query historical event data in Live Discover. However, if you turn off auditd, you won't receive audit events in your systemd journal logs. You normally access these logs using the journalctl command.

Turning off auditd can affect third-party tools that utilize audit events in the system journal logs. If needed, you can turn on auditd using --do-not-disable-auditd. However, this reduces the data you can query, as it won't contain historical event data. Some examples of historical event data that this affects are as follows:

  • Some evented tables when running endpoint queries with Live Discover.
  • Some Data Lake queries that leverage event information may also be affected.

Turning off auditd doesn't affect all historical data. Non-evented tables are still accessible on the endpoint. In addition, AV runtime detection event data and other Data Lake queries in Live Discover will still function.

Uninstalling Sophos Protection for Linux doesn't change your auditd setting. If you've turned off auditd, it remains turned off. Re-registering the product won't change the auditd settings.

You can use the following commands to manage auditd settings during installation:

Disable auditd

Turns off auditd on the device so that Sophos Protection for Linux can subscribe to the audit netlink and provide historical event data for Live Discover. This is set by default.


Do not disable auditd

Turns auditd on or leaves it on if it's already on. Using this option reduces the data you can query because it won't contain historical event data.