Hi,
I am attempting to set up the Sophos Add-On (App 1854) and have encountered a quandary.
I am setting it up using a forwarder on the Sophos Enterprise Console. The Reporting Interface is already there and working fine. LogWriter is putting logs out as expected. The logs closely match the ones included with the Add-On with the exception that mine do not have quotes (") around the data. I used all the default settings (but specified my own index to send data into) and found that while all the data was ingested, the **EventTime** field was not recognized as the time the event occurred so all the events were imported and stamped as happening "now". I reviewed the props.conf and modified these entries for the relevant types:
TIME_PREFIX = EventTime=" (changed to remove the '=' and '"'
TIME_FORMAT = %Y-%m-%d %H:%M:%S (verified)
MAX_TIMESTAMP_LOOKAHEAD = 25 (changed to 75 to match actual log files)
however that did not appear to help.
I did raise it with Sophos just in case it was a "quote" issue and I have found that the output from Reporting Interface/LogWriter does not have quotes and isn't easy to change to use quotes.
Any thoughts as to what I should look at ?
Thankyou
↧