-
Notifications
You must be signed in to change notification settings - Fork 70
/
config.ini.sample
executable file
·54 lines (40 loc) · 1.57 KB
/
config.ini.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[login]
# API Access URL + Headers
# API token setup steps: https://community.sophos.com/kb/en-us/125169
token_info = <Copy API Access URL + Headers block from Sophos Central here>
# Client ID and Client Secret for Partners, Organizations and Tenants
# <Copy Client ID and Client Secret from Sophos Central here>
client_id =
client_secret =
# Customer tenant Id
tenant_id =
# Host URL for Oauth token
auth_url = https://id.sophos.com/api/v2/oauth2/token
# whoami API host url
api_host = api.central.sophos.com
# format can be json, cef or keyvalue
format = json
# filename can be syslog, stdout, any custom filename
filename = result.txt
# endpoint can be event, alert or all
endpoint = event
# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
# append_nul will append null at the end of log message if set to true
address = /var/run/syslog
facility = daemon
socktype = udp
append_nul = false
# cache file full or relative path (with a ".json" extension)
state_file_path = state/siem_sophos.json
# Delay the data collection by X minute to avoid events missing issue from Sophos API
# The issue could be due to some specific host being ahead in time for a few minute and Sophos Central would consider events received from that host as a checkpoint.
events_from_date_offset_minutes = 0
# Delay the data collection by X minute.
alerts_from_date_offset_minutes = 0
# Convert the dhost field to valid fqdn.
convert_dhost_field_to_valid_fqdn = true
#logging level
logging_level = DEBUG