Skip to content
Last update: 2022-05-10

Exporting Alerts to S3

The blobstorage output type sends alerts to individual files in an AWS S3 bucket. Sophos Linux Sensor (SLS) can optionally create the target bucket or buckets so long as it has sufficient permissions.

Access to an AWS S3 bucket can either be granted explicitly by specifying an access key in the config or implicitly by granting role-based access to the service that is running SLS (for example the EC2 role).

This output type is commonly used for easy archiving of alerts in a durable store. It can also be used as the trigger for an ETL process in cloud environments where blob storage write events trigger a cloud function that processes the incoming alert. At this point alerts can be enriched, transformed, and shipped out to other systems as needed.

Configuration:

KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.
provideryesThe cloud provider name.
bucket_nameyesThe name of the bucket to write to. Subpaths within a bucket can be specified by delimiting the bucket name with a /
create_bucketno Enables/disables bucket creation.

AWS-specific configuration:

KeyRequiredDescription
aws_regionyesThe AWS region.
aws_access_key_idnoThe AWS Access Key ID.
aws_secret_access_keynoThe AWS Secret Access Key.
aws_session_tokennoThe AWS Session Token.
aws_aclnoAn ACL string such as "bucket-owner-full-control" to add to the request. Requires s3:PutObjectAcl permissions.

Example sending Alerts to AWS:

alert_output:
  outputs:
      # Write the Alert to AWS S3 authed through access keys
    - type: blobstorage
      enabled: true
      create_bucket: true
      bucket_name: sophos-alerts
      provider: aws
      aws_access_key_id: $ACCESS_KEY_ID
      aws_secret_access_key: $SECRET_ACCESS_KEY
      aws_region: us-east-2
      aws_acl: "bucket-owner-full-control"
Back to top