Overview of Sophos Linux Sensor configuration
After you have installed Sophos Linux Sensor (SLS), you can configure the functionality.
By default, SLS looks in
/etc/sophos for a
/etc/sophos contains two configuration files:
runtimedetections.yaml for sensor configuration and
runtimedetections-rules.yaml for detection content. For more information on managing detections, see Setting Up Detections.
SLS can also be run with environment variables via command line. Most configuration options for the sensor can be set either as a variable or a value in
runtimedetections.yaml, as documented in the table in Reference: Sophos Linux Sensor configuration options. If a configuration variable is set in both
runtimedetections.yaml and in the command line, the command line value overrides. If a configuration variable is not set, it reverts to the default value.
For example, to turn on debug mode for the sensor, you can either set the environment variable
RUNTIMEDETECTIONS_DEBUG=true or enter the following line in
If the environment variable
RUNTIMEDETECTIONS_DEBUG=true is set and
debug: false, then debug will be set to true, as the environment variable takes precedence. If neither is set, then debug will be set to false, which is the default for this variable.