Customers are unable to download some files from Sophos.com. We are aware and investigating. We will update as soon as possible.

explanation logfiles

Hello

can someone point me to an explanation of the logs created by Sophos Endpoint Antivirus?

Like what is the meaning of event_id 14067

which actions and what do they do

event type??

facility etc etc

 

thanks!

  • Hello rob coenraads,

    it's not clear to me what you mean by the logs created by Sophos Endpoint Antivirus as you mention event_id. Are you referring to events in the Windows Event logs? BTW, event_id 14067 doesn't ring a bell, did you encounter it (if so, could you post the details)?
    How would you use this information?

    With logs I'd refer to primarily the Anti-Virus (SAV.txt) and AutoUpdate (alc.log, ALUpdate____.log), meant to be read (and understood, but that's not simple in all cases) by a human. But apparently you have something else in mind.

    Christian

  • In reply to QC:

    christian

     

    thanks for your response

     

    I get logs from Sophos in my Siem environment. The logs are sent as syslog format. I see fields like event_id, ThreatID, severity, action, threat and so on.

    I want to use the information of the log file in creating alert rules in the Siem.

    As you can probably understand I am not allowed to share logfiles on the net.

  • In reply to rob coenraads:

    Hello rob coenraads,

    I get logs from Sophos
    the Central API or SEC Log Writer? I'm not aware of a detailed and explanatory documentation (but then, I've never searched for it), only that for the API there's a swagger specification.

    Christian