Reference: Sophos Linux Sensor configuration options
The following table describes the environment variables and configuration file values used by Sophos Linux Sensor (SLS). Configuration file values are written as object.subobject. For example, the following yaml entry is written as service.metadata.labels
.
service:
metadata:
labels:
- "region=US-EAST-1"
If a configuration variable is set in both runtimedetections.yaml
and in the command line, the command line value overrides. If a configuration variable is not set, it reverts to the default value.
Environment variables
RUNTIMEDETECTIONS_CLOUD_META
Setting | Description |
---|---|
Configuration File Value | cloud_meta |
Description | Defines the metadata service for the sensor. See Metadata. |
Type | string |
Default | "off" |
Example
RUNTIMEDETECTIONS_CLOUD_META=auto
RUNTIMEDETECTIONS_CONFIG
Setting | Description |
---|---|
Configuration File Value | N/A |
Description | Alternate location and name of the runtimedetections.yaml file |
Type | string |
Default | /etc/sophos/runtimedetections-rules.yaml |
Example
RUNTIMEDETECTIONS_CONFIG=/var/run/myconfig.yaml
RUNTIMEDETECTIONS_SERVICE_METADATA_LABELS
Setting | Description |
---|---|
Configuration File Value | service.metadata.labels |
Description | a string of key value pairs separated by = metadata about the sensor host |
Type | string |
Default | "" |
Example
RUNTIMEDETECTIONS_SERVICE_METADATA_LABELS="metahost=true"
RUNTIMEDETECTIONS_DEBUG
Setting | Description |
---|---|
Configuration File Value | debug |
Description | Turn debugging, profiling features, and logging on or off |
Type | boolean |
Default | false |
Example
RUNTIMEDETECTIONS_DEBUG=true
RUNTIMEDETECTIONS_LOG_OUTPUT
Setting | Description |
---|---|
Configuration File Value | log_output |
Description | Turn debugging, profiling features, and logging on or off |
Type | string |
Default | "" |
Example
RUNTIMEDETECTIONS_LOG_OUTPUT=/var/log/runtimedetections.log
RUNTIMEDETECTIONS_LOG_LEVEL
Setting | Description |
---|---|
Configuration File Value | log_level |
Type | string |
Description | Message level at which to log |
Default | info |
Example
RUNTIMEDETECTIONS_LOG_LEVEL=debug
RUNTIMEDETECTIONS_MONITOR_PORT
Setting | Description |
---|---|
Configuration File Value | monitor_port |
Type | integer |
Description | TCP port to serve health checks, version, varz and profiling endpoints |
Default | 9010 |
Example
RUNTIMEDETECTIONS_MONITOR_PORT=9999
RUNTIMEDETECTIONS_LISTEN_ADDR
Setting | Description |
---|---|
Configuration File Value | listen_addr |
Type | string |
Description | Socket address for the sensor telemetry service to listen on (can be a unix socket) |
Default | unix://var/run/sophos/sensor.sock |
Example
RUNTIMEDETECTIONS_LISTEN_ADDR=localhost:8443
RUNTIMEDETECTIONS_INVESTIGATIONS_FLIGHT_RECORDER_ENABLED
Setting | Description |
---|---|
Configuration File Value | investigations.flight_recorder.enabled |
Type | boolean |
Description | Activate the embedded flight recorder and turn on investigations |
Default | false |
Example
RUNTIMEDETECTIONS_INVESTIGATIONS_FLIGHT_RECORDER_ENABLED=true
RUNTIMEDETECTIONS_PERF_EVENT_REORDER_WINDOW
Setting | Description |
---|---|
Configuration File Value | perf_event_reorder_window |
Type | time.duration |
Description | The delay over which events will be reordered. |
Default | 75ms |
Example
RUNTIMEDETECTIONS_PERF_EVENT_REORDER_WINDOW=0ms
RUNTIMEDETECTIONS_INOTIFY_REQUEST_QUEUE_SIZE
Setting | Description |
---|---|
Configuration File Value | inotify_request_queue_size |
Type | integer |
Description | The queue size to use for attaching inotify watchers and checking for lost writes. |
Default | 1024 |
Example
RUNTIMEDETECTIONS_INOTIFY_REQUEST_QUEUE_SIZE=0
RUNTIMEDETECTIONS_RUNTIME_DIR
Setting | Description |
---|---|
Configuration File Value | runtime_dir |
Type | string |
Description | Location for runtime use. |
Default | /var/run/sophos |
Example
RUNTIMEDETECTIONS_RUNTIME_DIR=/var/run/sophos
RUNTIMEDETECTIONS_SUPPORT_DIR
Setting | Description |
---|---|
Configuration File Value | support_dir |
Type | string |
Description | Location for support files. |
Default | /var/lib/sophos |
Example
RUNTIMEDETECTIONS_SUPPORT_DIR=/var/lib/sophos
RUNTIMEDETECTIONS_CONTENT_PATH
Setting | Description |
---|---|
Configuration File Value | content_path |
Type | string |
Description | File or folder containing content file(s). |
Default | /var/lib/sophos/content/runtimedetections-rules.yaml |
Example
RUNTIMEDETECTIONS_CONTENT_PATH=/var/lib/sophos/content/runtimedetections-content.yaml
RUNTIMEDETECTIONS_DOCKER_DATA_ROOT
Setting | Description |
---|---|
Configuration File Value | docker_data_root |
Type | string |
Description | Docker's configured data root path. |
Default | /var/lib/docker |
Example
RUNTIMEDETECTIONS_DOCKER_DATA_ROOT=/var/lib/docker
Additional configuration file values
investigations.flight_recorder.tables
Setting | Description |
---|---|
Variable name | N/A |
Description | The tables and configurations to use when flushing data. |
Type | list |
Default | "" |
investigations.sinks
Setting | Description |
---|---|
Variable name | N/A |
Description | The sinks to use when flushing data. |
Type | list |
Default | "" |
investigations.reporting_interval
Setting | Description |
---|---|
Variable name | N/A |
Description | Duration of the flusher's intervals between reports. |
Type | string |
Default | "" |
investigations.max_payload_size
Setting | Description |
---|---|
Variable name | N/A |
Description | Maximum number of bytes for a single flushed payload. |
Type | integer |
Default | 4194304 |
investigations.timeout
Setting | Description |
---|---|
Variable name | N/A |
Description | Time until the flusher times out. |
Type | string |
Default | 5s |
More information