Skip to content
Last update: 2022-06-08

Testing Default Detections


Testing Sophos Linux Sensor detections

Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to trigger a test alert using the Test Alert policy in the default content package.

  1. Make sure SLS is started on the host that you wish to test. Run the following command:

    systemctl status sophoslinuxsensor

    Sample output:

    vagrant@vagrant:~$ sudo systemctl status sophoslinuxsensor
    ● sophoslinuxsensor.service - Sophos Linux Sensor
        Loaded: loaded (/lib/systemd/system/sophoslinuxsensor.service; enabled; vendor preset: enabled)
        Active: active (running) since Tue 2022-05-17 15:19:04 UTC; 14min ago
      Main PID: 26137 (sophoslinuxsens)
        Tasks: 20 (limit: 2245)
        Memory: 42.0M
        CGroup: /system.slice/sophoslinuxsensor.service
                ├─26137 /usr/local/bin/sophoslinuxsensor
                ├─26149 runtimedetections-trigger
                └─26151 /usr/local/bin/perf-sensor
    May 17 15:19:05 vagrant sophoslinuxsensor[26137]: 2022-05-17T15:19:05.908Z        INFO        32 policies configured
  2. Run the following command to trigger the Test Alert policy:

    sophoslinuxsensor --test-alert

    Sample output:

    2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
    Sophos Linux Runtime Detections Agent version (Build: 1917)
    2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
    2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting
  3. You should see the following alert:

    $ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester

    You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Back to top