All Apps and Add-ons

In a SHC Deployment, where does the logs stored - Sophos Central


I have Splunk ES Setup and I can see the logs coming from Sophos Central onto the Search Head(where I installed the app).
I would like to know where these logs are stored in Splunk. I have tried to find logs on indexers but it wasn't.

0 Karma

Ultra Champion

It might be indexed locally on the search head that does the API calls. Doesn't sound like something you want especially in a SH cluster.

Typically in distributed/clustered environments these kinds of API data collection methods are ran from a Heavy Forwarder that then sends it to the indexers.

Also, that app you mention (assuming you tagged the correct app) is deprecated. Have a look at these instead.

TA Sophos Add-on for Splunk
APP Sophos App for Splunk

0 Karma


App logs as other logs are stored under $SPLUNK_HOME/var/log/splunk

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!