Reference: Sophos Linux Sensor configuration options
The following table describes the environment variables and configuration file values used by Sophos Linux Sensor (SLS). Configuration file values are written as object.subobject. For example, the following yaml entry is written as service.metadata.labels.
service:
metadata:
labels:
- "region=US-EAST-1"
If a configuration variable is set in both runtimedetections.yaml and in the command line, the command line value overrides. If a configuration variable is not set, it reverts to the default value.
Environment variables
RUNTIMEDETECTIONS_CLOUD_META
| Setting | Description |
|---|---|
| Configuration File Value | cloud_meta |
| Description | Defines the metadata service for the sensor. See Metadata. |
| Type | string |
| Default | "off" |
Example
RUNTIMEDETECTIONS_CLOUD_META=auto
RUNTIMEDETECTIONS_CONFIG
| Setting | Description |
|---|---|
| Configuration File Value | N/A |
| Description | Alternate location and name of the runtimedetections.yaml file |
| Type | string |
| Default | /etc/sophos/runtimedetections.yaml |
Example
RUNTIMEDETECTIONS_CONFIG=/var/run/myconfig.yaml
RUNTIMEDETECTIONS_SERVICE_METADATA_LABELS
| Setting | Description |
|---|---|
| Configuration File Value | service.metadata.labels |
| Description | a string of key value pairs separated by = metadata about the sensor host |
| Type | string |
| Default | "" |
Example
RUNTIMEDETECTIONS_SERVICE_METADATA_LABELS="metahost=true"
RUNTIMEDETECTIONS_DEBUG
| Setting | Description |
|---|---|
| Configuration File Value | debug |
| Description | Turn debugging, profiling features, and logging on or off |
| Type | boolean |
| Default | false |
Example
RUNTIMEDETECTIONS_DEBUG=true
RUNTIMEDETECTIONS_LOG_OUTPUT
| Setting | Description |
|---|---|
| Configuration File Value | log_output |
| Description | Turn debugging, profiling features, and logging on or off |
| Type | string |
| Default | "" |
Example
RUNTIMEDETECTIONS_LOG_OUTPUT=/var/log/runtimedetections.log
RUNTIMEDETECTIONS_LOG_LEVEL
| Setting | Description |
|---|---|
| Configuration File Value | log_level |
| Type | string |
| Description | Message level at which to log |
| Default | info |
Example
RUNTIMEDETECTIONS_LOG_LEVEL=debug
RUNTIMEDETECTIONS_MONITOR_PORT
| Setting | Description |
|---|---|
| Configuration File Value | monitor_port |
| Type | integer |
| Description | TCP port to serve health checks, version, varz and profiling endpoints |
| Default | 9010 |
Example
RUNTIMEDETECTIONS_MONITOR_PORT=9999
RUNTIMEDETECTIONS_LISTEN_ADDR
| Setting | Description |
|---|---|
| Configuration File Value | listen_addr |
| Type | string |
| Description | Socket address for the sensor telemetry service to listen on (can be a unix socket) |
| Default | unix://var/run/sophos/sensor.sock |
Example
RUNTIMEDETECTIONS_LISTEN_ADDR=localhost:8443
RUNTIMEDETECTIONS_INVESTIGATIONS_FLIGHT_RECORDER_ENABLED
| Setting | Description |
|---|---|
| Configuration File Value | investigations.flight_recorder.enabled |
| Type | boolean |
| Description | Activate the embedded flight recorder and turn on investigations |
| Default | false |
Example
RUNTIMEDETECTIONS_INVESTIGATIONS_FLIGHT_RECORDER_ENABLED=true
RUNTIMEDETECTIONS_PERF_EVENT_REORDER_WINDOW
| Setting | Description |
|---|---|
| Configuration File Value | perf_event_reorder_window |
| Type | time.duration |
| Description | The delay over which events will be reordered. |
| Default | 75ms |
Example
RUNTIMEDETECTIONS_PERF_EVENT_REORDER_WINDOW=0ms
RUNTIMEDETECTIONS_INOTIFY_REQUEST_QUEUE_SIZE
| Setting | Description |
|---|---|
| Configuration File Value | inotify_request_queue_size |
| Type | integer |
| Description | The queue size to use for attaching inotify watchers and checking for lost writes. |
| Default | 1024 |
Example
RUNTIMEDETECTIONS_INOTIFY_REQUEST_QUEUE_SIZE=0
RUNTIMEDETECTIONS_RUNTIME_DIR
| Setting | Description |
|---|---|
| Configuration File Value | runtime_dir |
| Type | string |
| Description | Location for runtime use. |
| Default | /var/run/sophos |
Example
RUNTIMEDETECTIONS_RUNTIME_DIR=/var/run/sophos
RUNTIMEDETECTIONS_SUPPORT_DIR
| Setting | Description |
|---|---|
| Configuration File Value | support_dir |
| Type | string |
| Description | Location for support files. |
| Default | /var/lib/sophos |
Example
RUNTIMEDETECTIONS_SUPPORT_DIR=/var/lib/sophos
RUNTIMEDETECTIONS_ANALYTICS_CONTENT_PATH
| Setting | Description |
|---|---|
| Configuration File Value | analytics_content_path |
| Type | string |
| Description | File or folder containing content file(s). |
| Default | /var/lib/sophos/content/runtimedetections-rules.yaml |
Example
RUNTIMEDETECTIONS_ANALYTICS_CONTENT_PATH=/var/lib/sophos/content/runtimedetections-content.yaml
RUNTIMEDETECTIONS_DOCKER_DATA_ROOT
| Setting | Description |
|---|---|
| Configuration File Value | docker_data_root |
| Type | string |
| Description | Docker's configured data root path. |
| Default | /var/lib/docker |
Example
RUNTIMEDETECTIONS_DOCKER_DATA_ROOT=/var/lib/docker
Additional configuration file values
investigations.flight_recorder.tables
| Setting | Description |
|---|---|
| Variable name | N/A |
| Description | The tables and configurations to use when flushing data. |
| Type | list |
| Default | "" |
investigations.sinks
| Setting | Description |
|---|---|
| Variable name | N/A |
| Description | The sinks to use when flushing data. |
| Type | list |
| Default | "" |
investigations.reporting_interval
| Setting | Description |
|---|---|
| Variable name | N/A |
| Description | Duration of the flusher's intervals between reports. |
| Type | string |
| Default | "" |
investigations.max_payload_size
| Setting | Description |
|---|---|
| Variable name | N/A |
| Description | Maximum number of bytes for a single flushed payload. |
| Type | integer |
| Default | 4194304 |
investigations.timeout
| Setting | Description |
|---|---|
| Variable name | N/A |
| Description | Time until the flusher times out. |
| Type | string |
| Default | 5s |
More information