Sophos Enterprise Console JDBC protocol configuration options

To receive events from Sophos Enterprise Consoles, configure a log source to use the Sophos Enterprise Console JDBC protocol.

The Sophos Enterprise Console JDBC protocol is an outbound/active protocol that combines payload information from application control logs, device control logs, data control logs, tamper protection logs, and firewall logs in the vEventsCommonData table. If the Sophos Enterprise Console does not have the Sophos Reporting Interface, you can use the standard JDBC protocol to collect antivirus events.

The following table describes the parameters for the Sophos Enterprise Console JDBC protocol:
Table 1. Sophos Enterprise Console JDBC protocol parameters
Parameter Description
Protocol Configuration Sophos Enterprise Console JDBC
Log Source Identifier

Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

Database Type MSDE
Database Name The database name must match the database name that is specified in the Log Source Identifier field.
Port The default port for MSDE in Sophos Enterprise Console is 1168. The JDBC configuration port must match the listener port of the Sophos database to communicate with QRadar. The Sophos database must have incoming TCP connections enabled.

If a Database Instance is used with the MSDE database type, you must leave the Port parameter blank.

Authentication Domain If your network does not use a domain, leave this field blank.
Database Instance The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, the Database Instance parameter must be blank.

Table Name vEventsCommonData
Select List *
Compare Field InsertedAt
Use Prepared Statements Prepared statements enable the protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use pre-compiled statements.
Start Date and Time Optional. A start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.
Polling Interval The polling interval, which is the amount of time between queries to the database. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

Use Named Pipe Communication If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the user name and password field to use a Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database.

Database Cluster Name If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly.
Use NTLMv2 Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.