explanation logfiles


can someone point me to an explanation of the logs created by Sophos Endpoint Antivirus?

Like what is the meaning of event_id 14067

which actions and what do they do

event type??

facility etc etc



  • Hello rob coenraads,

    it's not clear to me what you mean by the logs created by Sophos Endpoint Antivirus as you mention event_id. Are you referring to events in the Windows Event logs? BTW, event_id 14067 doesn't ring a bell, did you encounter it (if so, could you post the details)?
    How would you use this information?

    With logs I'd refer to primarily the Anti-Virus (SAV.txt) and AutoUpdate (alc.log, ALUpdate____.log), meant to be read (and understood, but that's not simple in all cases) by a human. But apparently you have something else in mind.


  • In reply to QC:



    thanks for your response


    I get logs from Sophos in my Siem environment. The logs are sent as syslog format. I see fields like event_id, ThreatID, severity, action, threat and so on.

    I want to use the information of the log file in creating alert rules in the Siem.

    As you can probably understand I am not allowed to share logfiles on the net.

  • In reply to rob coenraads:

    Hello rob coenraads,

    I get logs from Sophos
    the Central API or SEC Log Writer? I'm not aware of a detailed and explanatory documentation (but then, I've never searched for it), only that for the API there's a swagger specification.