Configure Log Writer
Follow these instructions to configure the log writer.
The Configuration Files folder is located in the Log Writer's installation folder. The folder contains an example configuration file for each of the available data sources. You can customize them based on your requirements.
The configuration file is available at the following location by default:
C:\Program Files\Sophos\Reporting Interface\SophosLogWriterConfig.xml.
For a list of data sources that are available for Log Writer, see Log Writer data sources.
To edit the Log Writer configuration file:
- Modify the connection settings <connectionString>
element which determines how Log Writer contacts the Enterprise Console database:
In the default configuration file the <connectionString> element is commented out (surrounded by "<!--" and "-->" tags). If this element is commented out or not present in the configuration file then the service will attempt to find the appropriate settings by scanning the registry for a SEC management service connection string. However, if the Log Writer is installed on a different machine to the management service then a connection string must be specified.
For typical installations, only the database server name and instance must be modified. If you have a non- standard database setup, a description of how to edit connection parameters is available from the Microsoft website at the following location: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring.aspx
- If the <connectionString> element is present but specifies an incorrect or empty connection string (such as DataSource="") the service will fail to start and will not look for the registry value.
- If a connection to the database has been specified, a <noOfDays> element must be defined which determines how many days of historical data to retrieve.
- The <commandTimeout> element specifies the time SQL server must wait before a command execution times out. It is optional and if it is not specified the server will wait indefinitely.
<?xml version="1.0" encoding="utf-8" ?> <SophosDatafeed xmlns= "http://www.sophos.com/msys/LogWriterConfig.xsd"> <connection> <connectionString> Integrated Security = SSPI; Persist Security Info = False; Initial Catalog = Sophos[SECVersion]; Data Source = [SERVER]\[INSTANCE] </connectionString> <commandTimeout>[TIMEOUT IN SECONDS]</commandTimeout> </connection> <noOfDays>[AGE OF HISTORICAL DATA]</noOfDays> - Define custom datafeeds to extract information from the
database. We recommend adding only one feed at a time as this helps in troubleshooting and reduces
the load on the database. The datafeed definition is as follows:
- Each datafeed must specify a single <tick> and <logFile> element. They specify the frequency to check the database for new data and the location to save data.
- The <applyLogFormat> element takes a value of either true or false and specifies whether to prefix each line with the date and time the line was written to the log file. This can be useful if a third-party tool such as Splunk is used which automatically picks up the first date on each line of the log file. If it is not set then the log file date is not prefixed.
- The <fileSize> element limits the size of the
current log file. The <noOfBackupFiles> element sets the number of back up log files
that can be created before older files are deleted.
Example: If you have set the <fileSize> element for 500KB and the <noOfBackupFiles> element to 2, the first time the log file reaches 500KB it is renamed to add a suffix ".1" and a new log file is created without a suffix to capture new logs. Once the new log file reaches 500KB, the previously suffixed ".1" file is renamed to ".2" and the file that now reached 500KB is suffixed with ".1". A new log file is created again without a suffix to capture new logs. The next time this happens, the file with ".2" suffixed is deleted and the file with ".1" suffixed is renamed so that it has a ".2" suffix.
- Each datafeed contains one or more <call> elements which are labeled with a unique callID attribute. The Log Writer keeps track of each call made by storing a timestamp for each call in a "[CallID].last" file. The callID must be unique.
<datafeeds> <datafeed> <tick>[POLL TIME IN SECONDS]</tick> <applyLogFormat>true</applyLogFormat> <logFile> <noOfBackupFiles>[NUMBER OF BACKUP FILES]</noOfBackupFiles> <fileSize>[MAX FILE SIZE KB/MB/GB]</fileSize> <outputLocataion>[LOG FILE LOCATION]</outputLocation> <outputFilename>[LOG FILE NAME]</outputFilename> </logFile> <call callID = "[UNIQUE CALL NAME]"> <dataSource>[DATA SOURCE TO USE]</dataSource> <dataConfigurationLocation>[CALL DATA CONFIGFILE LOCATION]</dataConfigurationLocation> <dataConfigurationFile>[CALL DATA CONFIG FILENAME]</dataConfigurationFile> </call> ... </datafeed> ... </datafeeds> </SophosDatafeed> - If you want to edit the data sources, you can edit the
<call> element. It specifies the data source to extract data and associates it with a data
formatting file that determines the columns of the available data which should be saved. The data
formatting file can be constructed as an ordered list of required fields as follows:
- The field name attribute can use any name.
- The link attribute must use a valid Reporting Interface field for the data source.
- For enabled attribute, 0 indicates data will not be extracted and 1 indicates data will be extracted.
<?xml version="1.0" encoding="utf-8" ?> <LogFile> <Events> <field name="[FIELDNAME]" link="[FIELDNAME]" enabled="1" /> ... </Events> </LogFile> - Start the Sophos Reporting Log Writer service.
- You must restart the Log Writer service for any configuration changes.
- Before you start the Log Writer service with a new configuration, we recommend you stop the Sophos Management Service whilst the Log Writer initializes new datafeeds and downloads historical data from the database.