PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
can someone point me to an explanation of the logs created by Sophos Endpoint Antivirus?
Like what is the meaning of event_id 14067
which actions and what do they do
facility etc etc
Hello rob coenraads,
it's not clear to me what you mean by the logs created by Sophos Endpoint Antivirus as you mention event_id. Are you referring to events in the Windows Event logs? BTW, event_id 14067 doesn't ring a bell, did you encounter it (if so, could you post the details)?How would you use this information?
With logs I'd refer to primarily the Anti-Virus (SAV.txt) and AutoUpdate (alc.log, ALUpdate____.log), meant to be read (and understood, but that's not simple in all cases) by a human. But apparently you have something else in mind.
In reply to QC:
thanks for your response
I get logs from Sophos in my Siem environment. The logs are sent as syslog format. I see fields like event_id, ThreatID, severity, action, threat and so on.
I want to use the information of the log file in creating alert rules in the Siem.
As you can probably understand I am not allowed to share logfiles on the net.
In reply to rob coenraads:
I get logs from Sophosthe Central API or SEC Log Writer? I'm not aware of a detailed and explanatory documentation (but then, I've never searched for it), only that for the API there's a swagger specification.