Log Reporting Interface

Hello Bastien,

it's the Log Writer (the service that extracts data) 5.1, the Reporting Interface (the stuff in the database) is 5.2.
Anyway, the default configuration extracts EventsCommonData and ThreatEventData but not EventsDeviceControlData - did you modify the SophosLogWriterConfig.xml?

Christian

 

Hello,

Yes indeed, I mismatch the version.

Yes I modified SophosLogWriterConfig.xml, I add all the elements (datafeed tags) with basic lines like :

-<datafeed>

<tick>300</tick>

<applyLogFormat>true</applyLogFormat>

-<logFile logType="LogFile">

<noOfBackupFiles>5</noOfBackupFiles>

<fileSize>50MB</fileSize>

<outputLocation>.\Log Files</outputLocation>

<outputFilename>DefaultThreats.log</outputFilename>

</logFile>

-<call callID="DefaultThreats">

<dataSource>ThreatEventData</dataSource>

<dataConfigurationLocation>.\Configuration Files</dataConfigurationLocation>

<dataConfigurationFile>Threats.config</dataConfigurationFile>

</call>

</datafeed>

The log files are created in the default browser : C:\...\Sophos\Reporting Interface\Log Files\....

I can see one log file for each elements but the only source that generate logs are : EventsCommonData and EventsDeviceControlData

Hello Bastien,

and the other logs are empty? You likely have recent (within <noOfDays>) events from the other sources, haven't you? The Log Writer writes its messages (info, warning, error) to the Windows Application Event log, source Sophos Reporting Log Writer. (in case it sees some issue with the .xml).

Christian

Hi,

Yes exactly, all the other logs are empty and I don't know why. Their creation date is the date when we modify the .xml configuration file to add all the elements. The other files which are written are recent (less than 7 days which is equal to <noOfDays>) indeed.

And we have not a single error in the Event Viewer... Everything is "ok"...

Bastien.

Hello Bastien,

just to make sure, the console does show other events (threats, Application Control, ...) that occurred in the last 7 days?
BTW: What is your SEC version?

Christian 

Hello,

Now that you say it, it can show :

- Application control Event ;

- Data control Event;

- Device control Event;

- Firewall event ;

- "Exploits" prevention events ;

- Tamper protection Event;

- Patches evaluation event;

- Web Event.

Nothing on thrat events. Is that normal ?

Current version of SEC is 5.5.0

Bastien.

Hello Bastien,

Nothing on threat events
well, not a single threat event in seven days is perhaps unusual but of course it depends. I have several thousand endpoints and about 30 detections (roughly twice that number of events) in the last seven days. I'd say it's not impossible that you have none. Please run the console's Alert and event history report, custom period, select just the Viruses/spyware type.

Christian

Hello, 

When I run the console's Alert and event history report, custom period (since the beginning of the  year), and selecting just the Viruses/spyware type I got only 4 matches, which are dated before the installation of Sophos Reporting Interface.

Maybe it's the reason why I got no log ?

Bastien

Hello Bastien,

congratulations - practically no threats, how do you do it? [:)]

Indeed, no threats - no log. You have to decide whether you find it acceptable to besmirch your statistic and trigger an alert with EICAR (or the savtst32.exe from the C:\sec_550\tools\ directory) or want to wait for the detection of an actual threat.

Christian

Hi again,

I don't know. We might have a good protection in frontline :).

Thank you for your time btw. 

Kind regards,

Bastien.