Skip to content

Getting started: exporting alerts

Sophos Linux Sensor (SLS) was designed with flexibility in mind to make it easy for users to consume SLS Alert data in a way that fits in naturally with their existing workflows.

Getting Alerts via a file

The file output type writes alerts to a file on SLS's local file system. This output type is commonly used to integrate with existing log shippers that can read from a log file.

Configuration:

KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.
nameyesThe file name.
max_sizenoThe max file size in MB that a log file can be before it's rotated. Defaults to 100.
max_backupsnoThe max number of log files to retain. Defaults to not deleting any old log files.

Here's an example of SLS writing to two local files:

alert_output:
  outputs:    # Write the full Alert to a local log file
    - type: file
      enabled: true
      name: /var/log/sophos-alerts.json

    # Write a truncated Alert summary to a different local log file 
    - type: file      
      enabled: true    
      template: "{{.UUID}} {{.StrategyName}} {{.ProcessInfo.Tgid}} {{.ProcessInfo.Program.Path}}"
      name: /var/log/sophos-alert-summaries.json

Getting Alerts via stdout

The stdout output type prints alerts to the SLS's standard output. This output type is commonly used to quickly test new policy settings in development as well as to easily integrate with existing log shippers in containerized environments.

Note

Alerts will be mixed in with anything else printed to stdout by SLS such as initialization information or logged errors.

Configuration:

KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.

Here's an example of printing Alerts to stdout:

alert_output:
  outputs:
    - type: stdout
      enabled: true

Getting Alerts via syslog

The syslog output type sends alerts to a syslog server.

KeyRequiredDescription
typeyesThe output type.
enabledyesTurns the output on and off.
urlyesThe syslog server URL (local or remote).

Here's an example of sending Alerts to a local syslog server:

alert_output:
  outputs: # This could also be a remote syslog server
    - type: syslog
      enabled: true
      url: tcp://127.0.0.1:514/sophos_alerts

You can also configure this via an environment variable

RUNTIMEDETECTIONS_ALERT_SYSLOG_URL=tcp://syslog-server:514/sophos_alerts

Getting Alerts via a webhook

The webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with Alert Templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are to ship Alert summaries to Slack, automatically create Jira tickets when high priority Alerts are seen, or even to send Alerts directly to a Splunk Cloud instance.

KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.
urlyesThe URL to send the request to.
headersnoThe headers to pass along with the request. Defaults to "Content-Type: application/json".
methodnoThe HTTP method to use. Defaults to POST.
timeoutnoThe timeout in seconds. Defaults to 30.

Here's an example:

alert_output:
  outputs:
    # Send Alerts to a local web server
    - type: webhook
      enabled: true
      url: http://localhost:8080/alerts

    # Send Alerts to an arbitrary service with all settings
    - type: webhook
      enabled: true
      url: https://api.example-company.com/sophos_alerts
      template: "New Sophos Alert {{.UUID}}"
      timeout: 5
      method: PUT
      headers:
        "Content-Type": "text/plain"
        "X-COMPANY-AUTH": "123456"

    # Send Alerts to Slack using their webhook JSON format
    - type: webhook
      enabled: true
      url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
      template: '{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'
Back to top