Skip to content

Overview of Sophos Linux Sensor configuration

After you have installed Sophos Linux Sensor (SLS), you can configure the functionality.

By default, SLS looks in /etc/sophos for a runtimedetections.yaml file. /etc/sophos contains two configuration files: runtimedetections.yaml for sensor configuration and runtimedetections-rules.yaml for detection content. For more information on managing detections, see Setting Up Detections.

SLS can also be run with environment variables via command line. Most configuration options for the sensor can be set either as a variable or a value in runtimedetections.yaml, as documented in the table in Reference: Sophos Linux Sensor configuration options. If a configuration variable is set in both runtimedetections.yaml and in the command line, the command line value overrides. If a configuration variable is not set, it reverts to the default value.

For example, to turn on debug mode for the sensor, you can either set the environment variable RUNTIMEDETECTIONS_DEBUG=true or enter the following line in runtimedetections.yaml:

debug: true

Example

If the environment variable RUNTIMEDETECTIONS_DEBUG=true is set and runtimedetections.yaml has debug: false, then debug will be set to true, as the environment variable takes precedence. If neither is set, then debug will be set to false, which is the default for this variable.