Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1917 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint event didn't reported to console

Azwan

Hello 

As per subject above our customer recently found that few server encounter virus/suspicious behaviour and move to quarantine.

However the event was not reported back to console and this is affecting security issue since  server owner didn't notice the event  due to huge enviroment 2000+ server to monitor.

Currently we are waiting feedback from support and while waiting appreciate if someone have solution or experience to resolve this issue. Thanks

Sophos Enterprise Console (version: 5.0)

:26475


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I would use sav.txt on the client to determine the time that the alert should have been sent on the client.  Maybe use the event log to confirm and ensure you have the time stamp correct.  

    Then check on the client the Sophos Agent logs (\programdata\sophos\remote management system\3\Agent\Logs\), then the Sophos Router logs (\programdata\sophos\remote management system\3\Router\Logs\).  You should see in the Rotuer log a message of type "EM-Entity-Event" being created.    Hopefully these logs haven't been rotated already.

    Then on the server Router logs, you should be able to find an entry at this time for that message from the client.  The next entry to check would be the msgn logs (\programdata\sophos\sophos endpoint management\log\  (maybe in a version directory, use the timestamps to check which file is being written to)) on the server to see if the message was received by the Sophos management service.  Finally, a SQL query on the Sophos database.

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.ComputerName like '%machinename%'

    If that fails you may want to try:

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.MessageSystemAddress like '%machinename%'

    To try and find the message.

    As mentioned before. you'll have to move quick, at least on the server logs as the Router and Agent logs wrap every 4 MB (4X1MB files) and on the server this doesn't span much time, especially if you're managing manyh clients.

    Hope you can trace the message.

    Regards,

    Jak

    :26523
Reply
  • 0

    Hi,

    I would use sav.txt on the client to determine the time that the alert should have been sent on the client.  Maybe use the event log to confirm and ensure you have the time stamp correct.  

    Then check on the client the Sophos Agent logs (\programdata\sophos\remote management system\3\Agent\Logs\), then the Sophos Router logs (\programdata\sophos\remote management system\3\Router\Logs\).  You should see in the Rotuer log a message of type "EM-Entity-Event" being created.    Hopefully these logs haven't been rotated already.

    Then on the server Router logs, you should be able to find an entry at this time for that message from the client.  The next entry to check would be the msgn logs (\programdata\sophos\sophos endpoint management\log\  (maybe in a version directory, use the timestamps to check which file is being written to)) on the server to see if the message was received by the Sophos management service.  Finally, a SQL query on the Sophos database.

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.ComputerName like '%machinename%'

    If that fails you may want to try:

    SELECT * from [ThreatInstancesAll] as t
    inner join computerlistdata2 as c
    on c.computerid=t.computerid
    where c.MessageSystemAddress like '%machinename%'

    To try and find the message.

    As mentioned before. you'll have to move quick, at least on the server logs as the Router and Agent logs wrap every 4 MB (4X1MB files) and on the server this doesn't span much time, especially if you're managing manyh clients.

    Hope you can trace the message.

    Regards,

    Jak

    :26523
Children
No Data