Skip to content

Exporting Alerts to Kafka

Introduction

This document details the steps required to output alerts into Kafka. This document assumes that the user has completed the steps required for setting up and maintaining Kafka (Cluster, Topics, etc).

Setting up the sensor

Below examples will set up the sensor to send the alerts to the Kafka cluster and the topic defined by the user

Add the below code to the file runtimedetections.yaml:

alert_output:
  outputs:
    - type: kafka
      enabled: true     
      tls_enabled: true
      client_key_file_path: "{{file path to key}}"
      client_cert_file_path: "{{file path to cert}}"
      client_ca_file_path: "{{file path to ca}}"
      topic: "sophos-alerts"
      brokers:
        - <BROKER URL>

Note

Use the values for topic and broker that you created while setting up Kafka.

Another way to configure the sensor's connection to Kafka is by turning off TLS. Please use the below code in the file runtimedetections.yamlto turn off TLS.

alert_output:
  outputs:
    - type: kafka
      enabled: true
      tls_enabled: false
      topic: "quickstart-events"
      brokers:
        - localhost:9092

Once the runtimedetections.yamlis updated, restart SLS using the following command:

sudo systemctl restart sophoslinuxsensor

After restarting SLS, trigger an alert to make sure the alerts are flowing to Kafka.