This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log File Retention

I'm looking for some clarification concerning the log files used in sophos ESDP(I have researched this a bit, but have so far come up nearly empty in my search attempts). Our environment is Enterprise Console 4.5 on 180 clients. The goal of this is to have the ability to immediately provide 3 months of "audit-trails" for sophos log generations for a security audit. Additionally, we would need to have the log files retained for at least a year. Storage space is not an issue, in my mind the more logged information we can provide the better.

On to my question on retention(2 - part question), the first being is there a default amount of time a log is retained on the clients or is this dictated by the amount of disk space devoted to the aforementioned log files. If there is a way to set the amount of time a log file is retained, how would one go about accomplishing this?

My second question is concerning the possibility of having the log files be pulled to a central syslog server. If this option is available then the retention of the log files on the local machine is no longer relevant as they would be stored on a syslog server where we could retain them for the required period of time.

Thank you in advance

:11149


This thread was automatically locked due to age.
  • Hi,

    Firstly the SEC database is a great central store of information.  However you may want to change the default retention period:
    Tools - Configure Reporting - Purge (tab) as12 months is the default for the purging of dealt with alerts.  This could be increased.
    For the clients, there are many components to consider, all of which log to various files, levels and with different rotation periods. I'm not sure all of the logs are useful. What are you trying to retain exactly?
    The following articles have some info on logs:
    below is what I have worked out looking a the GUI or with Process Monitor experiments.
    SAV
    sav.txt is the main one and rotates on a monthly cycle up to 100 months.  
    Sophos Client Firewall
    "Keep all records" can be selected, the limiting factor then becomes the underlying Access database used.
    Sophos Device Control
    devicecontrol.txt is the main one and rotates on a monthly cycle up to 100 months.  
    Sophos Data Control
    datacontrol.txt is the main one and rotates on a monthly cycle up to 100 months.  
    Sophos AutoUpdate
    alc.log is less verbose than the trace logs up to 99 MB of data max, setting it to normal rather than verbose would span more time.

    RMS
    Router, Agent and Certification Manager logs. All of which default to 4 x 1 MB.  Although a new log is created at each start of the service startup so they may not get to 1 MB.  The size, log level and number of logs can be configured with DWORD registry keys:

    Router:
    HKLM\SOFTWARE\Sophos\Messaging System\Router\LogLevel (http://www.sophos.com/support/knowledgebase/article/30496.html) Default is 0, 1 is debug, 2 is trace.
    HKLM\SOFTWARE\Sophos\Messaging System\Router\LogFileMaxSize (1MB in bytes)
    HKLM\SOFTWARE\Sophos\Messaging System\Router\LogFileCount (default 4)

    Agent:
    HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\LogFileMaxSize (1MB in bytes)
    HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\LogFileCount (default 4)
    HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\LogLevel (default 0)

    CM:
    HKLM\SOFTWARE\Sophos\Certification Manager\LogFileMaxSize (1MB in bytes)
    HKLM\SOFTWARE\Sophos\Certification Manager\LogFileCount (default 4)
    HKLM\SOFTWARE\Sophos\Certification Manager\LogLevel (default 0)

    CM Issued Cert log just grows as far as I can tell.

    Management Service Logs
    10 x 1MB by default. To configure you can edit "MgntSvc.exe.config", specifically the settings:
    <maxSizeRollBackups value="10" />
    <maximumFileSize value="1048576" />

    SUM
    GUI option: 999 days, up to 999 MB

    It is worth pointing out that increasing the logging may have a performance impact in certain cases I would think.
    For logs that just remain on disk archived, such as SAV.txt it should not however.
    Of course the Event log will have a number of Events.

    I would suggest that you consider using the SEC database for events, computer and alert information and suppliment it with sav.txt files and the FW access database from clients.  I'm not sure how useful RMS information will be as the resulting messages will typically result in database entries.  Maybe the issued certificates log is worth keeping.

    The database has a reporting interface that can be installed to simplify presentation of the data:
    /search?q= 8285 when accessing the database.

    Hope this has some useful information.

    Regards,

    Jak

    :11151
  • "What are you trying to retain exactly?" - We are just wanting to show that the clients are up to date and that any threat events are logged. I have parsed through the articles you have linked and we are now working with the database reporting function to pull those logged events we are looking for. We will then pull the reports we run from the EC database to a central syslogging server as any system events(windows events, AV logs etc) must be consolidated on a central server for this requirement to keep in compliance.


    I appreciate all your assistance on this matter and you have been more than helpful. Kudos and thank you Jak.

    :11201