All Apps and Add-ons

In a SHC Deployment, where does the logs stored - Sophos Central

Explorer

I have Splunk ES Setup and I can see the logs coming from Sophos Central onto the Search Head(where I installed the app).
I would like to know where these logs are stored in Splunk. I have tried to find logs on indexers but it wasn't.

0 Karma

Ultra Champion

It might be indexed locally on the search head that does the API calls. Doesn't sound like something you want especially in a SH cluster.

Typically in distributed/clustered environments these kinds of API data collection methods are ran from a Heavy Forwarder that then sends it to the indexers.

Also, that app you mention (assuming you tagged the correct app) is deprecated. Have a look at these instead.

TA Sophos Add-on for Splunk https://splunkbase.splunk.com/app/4096/
APP Sophos App for Splunk https://splunkbase.splunk.com/app/4097/

0 Karma

Influencer

App logs as other logs are stored under $SPLUNK_HOME/var/log/splunk

0 Karma