Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Sophos Enterprise Console

 

JSA has two options for gathering events from a Sophos Enterprise Console by using JDBC.

Select the method that best applies to your Sophos Enterprise Console installation:

Note

To use the Sophos Enterprise Console protocol, you must ensure that the Sophos Reporting Interface is installed with your Sophos Enterprise Console. If you do not have the Sophos Reporting Interface, you must configure JSA by using the JDBC protocol. For information on installing the Sophos Reporting Interface, see your Sophos Enterprise Console documentation.

Configuring JSA Using the Sophos Enterprise Console Protocol

The Sophos Enterprise Console DSM for JSA accepts events by using Java Database Connectivity (JDBC).

The Sophos Enterprise Console DSM works in coordination with the Sophos Enterprise Console protocol to combine payload information from anti-virus, application control, device control, data control, tamper protection, and firewall logs in the vEventsCommonData table and provide these events to JSA. You must install the Sophos Enterprise Console protocol before you configure JSA.

To configure JSA to access the Sophos database by using the JDBC protocol:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. From the Log Source Type list, select Sophos Enterprise Console.
  7. From the Protocol Configuration list, select Sophos Enterprise Console JDBC.Note

    You must refer to the Configure Database Settings on your Sophos Enterprise Console to define the parameters that are required to configure the Sophos Enterprise Console JDBC protocol in JSA.

  8. Configure the following values:

    Table 1: Sophos Enterprise Console JDBC Parameters

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source. Type the log source identifier in the following format:

    <Sophos Database>@<Sophos Database Server IP or Host Name>

    Where:

    • <Sophos Database> is the database name, as entered in the Database Name parameter.

    • <Sophos Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.

    When you define a name for your log source identifier, you must use the values of the Sophos Database and Database Server IP address or host name from the Management Enterprise Console.

    Database Type

    From the list, select MSDE.

    Database Name

    Type the exact name of the Sophos database.

    IP or Hostname

    Type the IP address or host name of the Sophos SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE in Sophos Enterprise Console is 1168.

    The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections are enabled to communicate with JSA.

    If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name that is required to access the database.

    Password

    Type the password that is required to access the database. The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password parameter.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows, you must define a Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Optional. Type the database instance, if you have multiple SQL server instances on your database server.

    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Table Name

    Type vEventsCommonData as the name of the table or view that includes the event records.

    Select List

    Type * for all fields from the table or view.

    You can use a comma-separated list to define specific fields from tables or views, if this is needed for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).

    Compare Field

    Type InsertedAt as the compare field. The compare field is used to identify new events added between queries to the table.

    Start Date and Time

    Optional. Type the start date and time for database polling.

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communications check box.

    When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Use NTLMv2

    If you select MSDE as the Database Type, the Use NTLMv2 check box is displayed.

    Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

    Note

    Selecting a value greater than 5 for the Credibility parameter weights your Sophos log source with a higher importance compared to other log sources in JSA.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

    The configuration is complete.

Configure JSA by Using the JDBC Protocol

The Sophos Enterprise Console DSM for JSA accepts events by using Java Database Connectivity (JDBC).

JSA records all relevant anti-virus events. This document provides information on configuring JSA to access the Sophos Enterprise Console database by using the JDBC protocol.

Configuring the Database View

To integrate JSA with Sophos Enterprise Console:

  1. Log in to your Sophos Enterprise Console device command-line interface (CLI).
  2. Type the following command to create a custom view in your Sophos database to support JSA:

    Where <Database Name> is the name of the Sophos database.

    Note

    The database name must not contain any spaces.

After you create your custom view, you must configure JSA to receive event information that uses the JDBC protocol. To configure the Sophos Enterprise Console DSM with JSA, see Configuring a JDBC log source in JSAYou can configure JSA to access the Sophos database using the JDBC protocol..

Configuring a JDBC Log Source in JSA

You can configure JSA to access the Sophos database using the JDBC protocol.

  1. Log in to JSA
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. From the Log Source Type list, select Sophos Enterprise Console.
  7. From the Protocol Configuration list, select JDBC.Note

    You must refer to the Configure Database Settings on your Sophos Enterprise Console to define the parameters that are required to configure the Sophos Enterprise Console DSM in JSA.

  8. Configure the following values:

    Table 2: Sophos Enterprise Console JDBC Parameters

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source. Type the log source identifier in the following format:

    <Sophos Database>@<Sophos Database Server IP or Host Name>

    Where:

    • <Sophos Database> is the database name, as entered in the Database Name parameter.

    • <Sophos Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.

    When defining a name for your log source identifier, you must use the values of the Sophos Database and Database Server IP address or host name from the Management Enterprise Console.

    Database Type

    From the list, select MSDE.

    Database Name

    Type the exact name of the Sophos database.

    IP or Hostname

    Type the IP address or host name of the Sophos SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections that are enabled to communicate with JSA.

    If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name that is required to access the database.

    Password

    Type the password that is required to access the database. The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password parameter.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows, you must define a Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Optional. Type the database instance, if you have multiple SQL server instances on your database server.

    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Table Name

    Type threats_view as the name of the table or view that includes the event records.

    Select List

    Type * for all fields from the table or view.

    You can use a comma-separated list to define specific fields from tables or views, if this is needed for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).

    Compare Field

    Type ThreatInstanceID as the compare field. The compare field is used to identify new events added between queries to the table.

    Start Date and Time

    Optional. Type the start date and time for database polling.

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Use Prepared Statements

    Select this check box to use prepared statements.

    Prepared statements give the JDBC protocol source the option to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, It is suggested that you use prepared statements.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communication check box.

    When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Note

    Selecting a value greater than 5 for the Credibility parameter weights your Sophos log source with a higher importance compared to other log sources in JSA.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.