Sophos Enterprise Console JDBC protocol configuration options
To receive events from Sophos Enterprise Consoles, configure a log source to use the Sophos Enterprise Console JDBC protocol.
The Sophos Enterprise Console JDBC protocol is an outbound/active protocol that combines payload information from application control logs, device control logs, data control logs, tamper protection logs, and firewall logs in the vEventsCommonData table. If the Sophos Enterprise Console does not have the Sophos Reporting Interface, you can use the standard JDBC protocol to collect antivirus events.
Parameter | Description |
---|---|
Protocol Configuration | Sophos Enterprise Console JDBC |
Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
Database Type | MSDE |
Database Name | The database name must match the database name that is specified in the Log Source Identifier field. |
Port | The default port for MSDE in Sophos Enterprise
Console is 1168. The JDBC configuration
port must match the listener port
of the Sophos database to communicate with QRadar.
The Sophos database must have incoming TCP connections
enabled. If a Database Instance is used with the MSDE database type, you must leave the Port parameter blank. |
Authentication Domain | If your network does not use a domain, leave this field blank. |
Database Instance | The database instance, if required. MSDE databases
can include multiple SQL server instances
on one server. When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, the Database Instance parameter must be blank. |
Table Name | vEventsCommonData |
Select List | * |
Compare Field | InsertedAt |
Use Prepared Statements | Prepared statements enable the protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use pre-compiled statements. |
Start Date and Time | Optional. A start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed. |
Polling Interval | The polling interval, which is the amount of time between queries to the database. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. |
Use Named Pipe Communication | If MSDE is configured as the database type,
administrators can select this check
box to use an alternative method to
a TCP/IP port connection. Named pipe connections for MSDE databases require the user name and password field to use a Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database. |
Database Cluster Name | If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly. |
Use NTLMv2 | Forces MSDE connections to use the NTLMv2 protocol
with SQL servers that require NTLMv2
authentication. The default value
of the check box is selected. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. |