Exporting Alerts to Kafka
Introduction
This document details the steps required to output alerts into Kafka. This document assumes that the user has completed the steps required for setting up and maintaining Kafka (Cluster, Topics, etc).
Setting up the sensor
Below examples will set up the sensor to send the alerts to the Kafka cluster and the topic defined by the user
Add the below code to the file runtimedetections.yaml
:
alert_output:
outputs:
- type: kafka
enabled: true
tls_enabled: true
client_key_file_path: "{{file path to key}}"
client_cert_file_path: "{{file path to cert}}"
client_ca_file_path: "{{file path to ca}}"
topic: "sophos-alerts"
brokers:
- <BROKER URL>
Note
Use the values for topic and broker that you created while setting up Kafka.
Another way to configure the sensor's connection to Kafka is by turning off TLS. Please use the below code in the file runtimedetections.yaml
to turn off TLS.
alert_output:
outputs:
- type: kafka
enabled: true
tls_enabled: false
topic: "quickstart-events"
brokers:
- localhost:9092
Once the runtimedetections.yaml
is updated, restart SLS using the following command:
sudo systemctl restart sophoslinuxsensor
After restarting SLS, trigger an alert to make sure the alerts are flowing to Kafka.