All Apps and Add-ons

In a SHC Deployment, where does the logs stored - Sophos Central


I have Splunk ES Setup and I can see the logs coming from Sophos Central onto the Search Head(where I installed the app).
I would like to know where these logs are stored in Splunk. I have tried to find logs on indexers but it wasn't.

0 Karma

Ultra Champion

It might be indexed locally on the search head that does the API calls. Doesn't sound like something you want especially in a SH cluster.

Typically in distributed/clustered environments these kinds of API data collection methods are ran from a Heavy Forwarder that then sends it to the indexers.

Also, that app you mention (assuming you tagged the correct app) is deprecated. Have a look at these instead.

TA Sophos Add-on for Splunk
APP Sophos App for Splunk

0 Karma


App logs as other logs are stored under $SPLUNK_HOME/var/log/splunk

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...