Getting started: exporting alerts
Sophos Linux Sensor (SLS) is designed to make it easy for users to output SLS Alert data in a way that fits naturally with their existing workflows. SLS provides multiple options to export alerts. This isn't limited to a single alert output configuration. You can use multiple external data sources as a destination point for SLS alerts. For example, sending alerts to Splunk and Slack, or stdout and Sophos Central.
Getting Alerts via a file
The file output type writes alerts to a file on SLS's local file system. This output type is commonly used to integrate with existing log shippers that can read from a log file.
Configuration:
| Key | Required | Description |
|---|---|---|
| type | yes | The output type. |
| enabled | yes | Turns the output on or off. |
| name | yes | The file name. |
| max_size | no | The max file size in MB that a log file can be before it's rotated. Defaults to 100. |
| max_backups | no | The max number of log files to retain. Defaults to not deleting any old log files. |
Here's an example of SLS writing to two local files:
alert_output:
outputs: # Write the full Alert to a local log file
- type: file
enabled: true
name: /var/log/sophos-alerts.json
# Write a truncated Alert summary to a different local log file
- type: file
enabled: true
template: "{{.UUID}} {{.StrategyName}} {{.ProcessInfo.Tgid}} {{.ProcessInfo.Program.Path}}"
name: /var/log/sophos-alert-summaries.json
Getting Alerts via stdout
The stdout output type prints alerts to the SLS's standard output. This output type is commonly used to quickly test new policy settings in development as well as to easily integrate with existing log shippers in containerized environments.
Note
Alerts will be mixed in with anything else printed to stdout by SLS such as initialization information or logged errors.
Configuration:
| Key | Required | Description |
|---|---|---|
| type | yes | The output type. |
| enabled | yes | Turns the output on or off. |
Here's an example of printing Alerts to stdout:
alert_output:
outputs:
- type: stdout
enabled: true
Getting Alerts via syslog
The syslog output type sends alerts to a syslog server.
| Key | Required | Description |
|---|---|---|
| type | yes | The output type. |
| enabled | yes | Turns the output on or off. |
| url | yes | The syslog server URL (local or remote). |
Here's an example of sending Alerts to a local syslog server:
alert_output:
outputs: # This could also be a remote syslog server
- type: syslog
enabled: true
url: tcp://127.0.0.1:514/sophos_alerts
You can also configure this via an environment variable
RUNTIMEDETECTIONS_ALERT_SYSLOG_URL=tcp://syslog-server:514/sophos_alerts
Getting Alerts via a webhook
The webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with Alert Templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are to ship Alert summaries to Slack, automatically create Jira tickets when high priority Alerts are seen, or even to send Alerts directly to a Splunk Cloud instance.
| Key | Required | Description | | type | yes | The output type. | | enabled | yes | Turns the output on or off. | | url | yes | The URL to send the request to. | | headers | no | The headers to pass along with the request. Default: "Content-Type: application/json". | | method | no | The HTTP method to use. Defaults: POST. | | timeout | no | The timeout in seconds. Defaults: 30. |
Here's an example:
alert_output:
outputs:
# Send Alerts to a local web server
- type: webhook
enabled: true
url: http://localhost:8080/alerts
# Send Alerts to an arbitrary service with all settings
- type: webhook
enabled: true
url: https://api.example-company.com/sophos_alerts
template: "New Sophos Alert {{.UUID}}"
timeout: 5
method: PUT
headers:
"Content-Type": "text/plain"
"X-COMPANY-AUTH": "123456"
# Send Alerts to Slack using their webhook JSON format
- type: webhook
enabled: true
url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
template: '{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'