When you configure your Sophos Antivirus to send log data to USM Appliance, you can use the Sophos Antivirus plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.
| Device | Details |
|---|---|
| Vendor | Sophos |
| Device Type | Antivirus |
| Connection Type | Database plugin |
| Data Source Name | sophos-mssql |
| Data Source ID | 1558 |
Integrating Sophos Antivirus through MSSQL
Before you configure the Sophos Antivirus integration, you must have the IP Address of the USM Appliance Sensor.
To configure USM Appliance retrieve data from Sophos Antivirus
Database plugins extract data from an external database and turn them into USM Appliance events. The database plugin configuration file provides information on how USM Appliance should connect to and query the database.
In the Sophos Antivirus plugin configuration file (/etc/ossum/agent/plugins/sophos-mssql.cfg), the section that starts with [config] details how USM Appliance connects to the MSSQL database.
[config]
type=detector
enable=yes
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/sophos-ip.cfg
source=database
source_type=mssql
source_ip=
source_port=1433
user=db_user
password=db_pass
db=SophosXXX
sleep=60
To open and update the Sophos Antivirus plugin configuration file, access the command shell on USM Appliance (using the jailbreak option), then go to the plugins directory:
cd /etc/ossim/agent/plugins/
Using a text editor (such as vim), open the plugin file for editing:
vim sophos-mssql.cfg
To enable communication with the MSSQL database, you will need to enter information for the following fields:
- source_ip: Fully qualified domain name, hostname or IP address.
- user: Name of the user with access to the database.
- password: Password for user with access to the database.
After you've updated and saved your changes, restart ossim-agent:
/etc/init.d/ossim-agent restart
Plugin Enablement
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, see the vendor documentation.
Feedback