sav.txt and syslog

Context - since we need to archive syslogs, is there any point in also archiving sav.txt? If every sav.txt entry is already in syslog, then why archive both?

Hi John,

Are you referring to Linux Endpoint?

Yes - RHE 7.

Endpoint only - no Central.

I'm not sure what sav.txt is or where you are getting that information from?

SAV writes log entries to savd.log (accessed by savlog) and to syslog (if enabled in the configuration).

All threat detections are written to both, but some on-demand scan errors are not logged to syslog.

Thanks Doug.

sav.txt is identified in many posts and Sophos pdfs as the log file for SAV and HIPS, so I was unaware that savd.log exists [also?].

(I am researching Sophos products, and so I don't yet have a running copy to use to answer my questions.)

However, you answered my real question, which is that I can get away with archiving only syslog (for now).

You mean like:

https://community.sophos.com/kb/en-us/43391 

?

That is talking about Windows, not Linux. Also HIPS is Windows only.

You mean like:

https://community.sophos.com/kb/en-us/43391 

?

That is talking about Windows, not Linux. Also HIPS is Windows only.

Very possibly - I was searching with Linux as a filter, but I was following any hits that looked promising. I'm not surprised if I got confused by Windows-related posts that never mentioned Windows...

Thanks for the clarification.