This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Recording policy changes from Sophos Enterprise Console 5.2 in LEM?

So my question is pretty simple (although I don't expect the answer to be), is there a way of pulling any policy changes or logs from Sophos Enterprise Console 5.2.0.644 and having them recorded and displayed in LEM. So at present we can record and track any Active Directory changes being made but it would also be nice to be able to record any changes made in Sophos for Change Control auditing.

Any one managed to do this or know if it is even possible to do so?

It might be of interest to know that Sophos Auditing is enabled and policy changes are being recorded in an SQL database so I know it can record the data we want but I'm not sure if LEM would be able to access that or not.

Any help or information would be very welcome!

  • FormerMember
    0 FormerMember

    Hi Ian,

    I have SEC 5.2 and installed in a distributed installation (the DB on SQL Server 2012). I am yet to configure logging, but there are connectors for Sophos Enterprise Database (2.0 and 3.0) under Node connectors. If you installed SEC in one location, deploy the agent to this server then try the Sophos Enterprise 3.0 Database connector and start it. If you have done like me, you will need to configure the correct DB port and database name. There is a chance that in a distributed installation, it may not allow collection of logs as there is no fields in the connector template to provide authentication details.

    Hope this helps.

  • Thanks for the tip Garreth, It took  me a while to actually find the connector for Sophos as only some are displayed under the appliance yet more can be found when looking at the node directly. Anyway I've attempted to configure it using the Sophos Enterprise 3 connector and changed the name & port of the SQL database to match ours yet i'm not sure if its working or not since i don't seem to have any kind of indication of an increase of events/alerts.

    I've tried restarting the connector multiple times, and even restarting the SolarWind service on the Sophos server itself to see if it would do something. So i'm starting to get stuck :/

    ***Edit***

    Okay so here is a screen shot (ip/server names excluded) of the only type of log I can find when starting or stopping the Sophos3DB connector.

    Sophos database.png

    The section i've highlighted in red is the closest thing to an error yet it ONLY occurs when turning the connecter off which is not giving me confidence in following it up. I mean once started (the top log in the image) I get no other notification regarding the connector at all until i turn it off again.

    Perhaps it just wont work with Sophos Enterprise console 5.2.

  • I have the exact same issue. I opened a ticket a bit ago. Was hoping someone out there got it working. did you?

  • FormerMember
    0 FormerMember in reply to eric.hand

    For the additional events, we should be able to add these to the connector hooked up to the Sophos DB.  You might have to submit a request once you've got it hooked up (or submit a ticket if you can't get it up and running).

    And for the error messages that a couple of you are seeing or trouble getting Sophos connected at all, we have done some work on the connector to get it working with the latest versions so if you're still having trouble we're very interested in troubleshooting. If you can give me your case #s I can look into it and make sure we get hooked up with our development team to get them whatever data they need.

  • here's what we've been able to figure out so far. sql port 1433 is NOT open by default on a standard sophos (window server/sql express) install. we have since opened it. i'm not getting different errors:

    erprise Database:36} check for query size failed;

    (Thu Aug 07 12:12:13 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} Sophos2DB failed to perform query due to a SQLException.;

    (Thu Aug 07 12:12:23 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} check for query size failed;

    (Thu Aug 07 12:12:23 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} Sophos2DB failed to perform query due to a SQLException.;

    (Thu Aug 07 12:12:33 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} check for query size failed;

    (Thu Aug 07 12:12:33 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} Sophos2DB failed to perform query due to a SQLException.;

    (Thu Aug 07 12:12:43 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} check for query size failed;

    (Thu Aug 07 12:12:43 CDT 2014) EE:ERR [Sophos2DBReader v0] {Sophos2DB-Sophos Ent

    erprise Database:36} Sophos2DB failed to perform query due to a SQLException.;

    i had our dba look at the sql logs (what little there is for express), and she initally saw some failed login attempts from NTAUTHORITY\SYSTEM account (excuse the spelling i'm writing this off the top of my head). she has since given full db reader access. I've restarted the agents and she is no longer seeing those errors but i'm getting these quere problems still. same message if i used the db2 or db3 version of the connector (it shows the same error down do the '2DB' part. no difference.

    haven't had time to call support back yet to see if they have anymore ideas.

  • SEC 5.2+ can send these notifications via email, if you have AD integration enabled for your groups.