Overview of Sophos Linux Sensor configuration
After you have installed Sophos Linux Sensor (SLS), you can configure the functionality.
By default, SLS looks in /etc/sophos
for a runtimedetections.yaml
file. /etc/sophos
contains two configuration files: runtimedetections.yaml
for sensor configuration and runtimedetections-rules.yaml
for detection content. For more information on managing detections, see Setting Up Detections.
SLS can also be run with environment variables via command line. Most configuration options for the sensor can be set either as a variable or a value in runtimedetections.yaml
, as documented in the table in Reference: Sophos Linux Sensor configuration options. If a configuration variable is set in both runtimedetections.yaml
and in the command line, the command line value overrides. If a configuration variable is not set, it reverts to the default value.
For example, to turn on debug mode for the sensor, you can either set the environment variable RUNTIMEDETECTIONS_DEBUG=true
or enter the following line in runtimedetections.yaml
:
debug: true
Example
If the environment variable RUNTIMEDETECTIONS_DEBUG=true
is set and runtimedetections.yaml
has debug: false
, then debug will be set to true, as the environment variable takes precedence. If neither is set, then debug will be set to false, which is the default for this variable.