Sophos PureMessage
The Sophos PureMessage DSM for JSA accepts events by using Java Database Connectivity (JDBC).
JSA records all relevant quarantined email events. This document provides information about configuring JSA to access the Sophos PureMessage database by using the JDBC protocol.
JSA supports the following Sophos PureMessage versions:
Sophos PureMessage for Microsoft Exchange - Stores events in a Microsoft SQL Server database that is specified as savexquar.
Sophos PureMessage for Linux - Stores events in a PostgreSQL database that is specified as pmx_quarantine.
Here's information on integrating JSA with Sophos:
Integrating JSA with Sophos PureMessage for Microsoft Exchange
Integrating JSA with Sophos PureMessage for Linux
Integrating JSA with Sophos PureMessage for Microsoft Exchange
You can integrate JSA with Sophos PureMessage for Microsoft Exchange.
Log in to the Microsoft SQL Server command-line interface (CLI):
osql -E -S localhost\sophos
Type which database you want to integrate with JSA:
use savexquar; go
Type the following command to create a SIEM view in your Sophos database to support JSA:
create view siem_view as select 'Windows PureMessage' as application, id, reason, timecreated, emailonly as sender, filesize, subject, messageid, filename from dbo.quaritems, dbo.quaraddresses where ItemID = ID and Field = 76;
After you create your SIEM view, you must configure JSA to receive event information by using the JDBC protocol. To configure the Sophos PureMessage DSM with JSA, see Sophos PureMessage.
JDBC Log Source Parameters for Sophos PureMessage
If JSA does not automatically detect the log source, add a Sophos PureMessage log source on the JSA Console by using the JDBC protocol.
When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Sophos:
Parameter |
Value |
---|---|
Log Source Type |
Sophos PureMessage |
Protocol Configuration |
JDBC |
Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
Database Type |
MSDE |
Database Name |
Type savexquar. |
Table Name |
Type siem_view as the name of the table or view that includes the event records. |
Compare Field |
Type ID. |
Integrating JSA with Sophos PureMessage for Linux
You can integrate JSA with Sophos PureMessage for Linux.
Navigate to your Sophos PureMessage PostgreSQL database directory:
cd /opt/pmx/postgres-8.3.3/bin
Access the pmx_quarantine database SQL prompt:
./psql -d pmx_quarantine
Type the following command to create a SIEM view in your Sophos database to support JSA:
create view siem_view as select 'Linux PureMessage' as application, id, b.name, m_date, h_from_local, h_from_domain, m_global_id, m_message_size, outbound, h_to, c_subject_utf8 from message a, m_reason b where a.reason_id = b.reason_id;
After you create your database view, you must configure JSA to receive event information by using the JDBC protocol.
JDBC Log Source Parameters for Sophos PureMessage for Microsoft Exchange
If JSA does not automatically detect the log source, add a Sophos PureMessage log source on the JSA Console by using the JDBC protocol.
When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Sophos:
Parameter |
Value |
---|---|
Log Source Type |
Sophos PureMessage |
Protocol Configuration |
JDBC |
Log Source Identifier |
Type the identifier for the log source. Type the log source identifier in the following format: <Sophos PureMessage Database>@<Sophos PureMessage Database Server IP or Host Name>, where:
|
Database Type |
Postgres |
Database Name |
Type pmx_quarantine. |
Table Name |
Type siem_view as the name of the table or view that includes the event records. |
Compare Field |
Type ID. |
You must refer to the Configure Database Settings on your Sophos PureMessage to define the parameters required to configure the Sophos PureMessage DSM in JSA.