When you configure Sophos Antivirus to send log data to USM Appliance, you can use the Sophos Antivirus plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Connection Type||Database plugin|
|Data Source Name||sophos-mssql|
|Data Source ID||1558|
Integrating Sophos Antivirus through MSSQL
Before you configure the Sophos Antivirus integration, you must have the IP Address of the USM Appliance Sensor.
To configure USM Appliance retrieve data from Sophos Antivirus
Database plugins extract data from an external database and turn them into USM Appliance events. The database plugin configuration file provides information on how USM Appliance should connect to and query the database.
In the Sophos Antivirus plugin configuration file (/etc/ossum/agent/plugins/sophos-mssql.cfg), the section that starts with [config] details how USM Appliance connects to the MSSQL database.
To open and update the Sophos Antivirus plugin configuration file, access the command shell on USM Appliance (using the jailbreak option), then go to the plugins directory:
Using a text editor (such as vim), open the plugin file for editing:
To enable communication with the MSSQL database, you will need to enter information for the following fields:
- source_ip: Fully qualified domain name, hostname or IP address.
- user: Name of the user with access to the database.
- password: Password for user with access to the database.
After you've updated and saved your changes, restart ossim-agent:
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, see the vendor documentation.