Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 4468 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV Client Logs sav.txt - Can this be made to hold information longer?

Gareth Lynch

Hi all

 

I work in an environment with 2500 seats, all have Sophos AV on them

We have had recommendation from new security guidelines to have all AV clients keep logs for 12 months

I know the local log is stored in C:\ProgramData\Sophos\Sophos Anti-Virus\logs and callwed SAV.txt, but it seems to only be holding for a months worth of info?

I just wondered if anyone had any experience with this or advice? Needless to say I can find any options anywhere to change it!

 

Thanks in Advance for any help

Gareth



This thread was automatically locked due to age.
Parents
  • 0

    Hello Gareth,

    C:\ProgramData\Sophos\Sophos Anti-Virus\logs
    contains in addition to SAV.txt (which is the log for the current month) archives for previous logs (SAV_yyyymmdd.txt). By default 4 archives are kept - you can increase this number with the local GUI. You probably need a way to set this on 2500 endpoints ... hm ...

    Note that by default alerts and events are also sent (unless you've modified the default policy) to the Windows Event Log. IMO logs or similar important audit data should be copied or moved off the endpoints and backed up in a more secure location anyway - but this is just MO.

    Christian

Reply
  • 0

    Hello Gareth,

    C:\ProgramData\Sophos\Sophos Anti-Virus\logs
    contains in addition to SAV.txt (which is the log for the current month) archives for previous logs (SAV_yyyymmdd.txt). By default 4 archives are kept - you can increase this number with the local GUI. You probably need a way to set this on 2500 endpoints ... hm ...

    Note that by default alerts and events are also sent (unless you've modified the default policy) to the Windows Event Log. IMO logs or similar important audit data should be copied or moved off the endpoints and backed up in a more secure location anyway - but this is just MO.

    Christian

Children
  • 0 in reply to QC

    Hello Gareth,

    found that external modification to machine.xml seems to be "officially permitted". Thus it should not be too hard to make the desired modification with a script. Change the settings on an endpoint, note the changes to machine.xml (guess the applicable <rotation/> tag for SAV.txt is always the first). The script should stop the AV service, replace the <rotation/> tag with the appropriate values and then start the service.

    Christian 

Unfiltered HTML