Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 18525 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dead Client Reporting

mrhollywoodg

Long story short - I just inherited managing Sophos from another department in IT, so I have yet to go through my Sophos training (I just finished scheduling it, it just hasn't happened yet).  I've been going through the help docs, etc.  

What I'd like to do is groom the Sophos Enterprise Console.  Right now there are a lot of clients in the console that aren't reporting in - I realize some of this is normal (laptops, shut-down, etc), but I also know that as computers have been retired and ewasted, they have not been removed from the console.  Is there a way to groom by "last message received from computer" or some other field to weed out the computers that will never check-in again? Or is there some other way of doing this that you know.  

Any help is appreciated! 

:23267


This thread was automatically locked due to age.
  • 0
    Hello terriblylongusername,

    have a look at PurgeDB.exe http://www.sophos.com/support/knowledgebase/article/109884.html. Apart from this, simply delete the ones you know no longer exist from the console (they remain in the database and can later be removed using PurgeDB).

    HTH
    Christian
    :23273
  • 0

    Hi, Christian, 

    Thanks for pointing me to the purgeDB tool. I think that will be helpful later, but for now I just want to manage them in the console.  

    As for your suggestion of deleting the ones I know are no longer there, that's my problem - I don't know which ones are no longer there, that's why I'd like to run a report to see which ones haven't checked-in within the last 90 days, or 30 days, etc. Then I can take that report and compare it to our asset database to determin which ones to delete. The sophos server was basically unmanaged for a while, and now I'm trying to clean it up.  

    Also, I wonder if there's a way to see if there are any duplicate computers in Sophos? As in, the computer was reimaged, given the same computer name, and had sophos reinstalled - would it create a duplicate entry in the Enterprise Console? 

    Again, I just got this project with zero training as of yet, but I have many hours scheduled with Sophos soon - my supervisors are just asking for reports before then... 

    Thanks again for any help! 

    :23275
  • 0

    Too many questions for this time of day (9pm here). For today I'll just mention that you can sort by any column in any view of SEC by clicking on the column header. The name is in any view, Last Message Time on the computer details.
    To a certain extent you can export what you see in SEC (I've never used it and don't have access right now but you can play with it). A little bit of experimenting should enable you to produce some reports for management ;-)

    [Edit several hours later]:

    You can Copy the entire contents of a view from SEC by clicking somewhere in the view (e.g. a client's name), then Ctrl-C (or choose Edit/Copy from the menu bar) and paste to a spreadsheet for example.

    Another option is the Sophos Reporting Interface tool (available on the Downloads page) - please see the documentation.

    The following q&d query (based on the one posted by Jak) might help you with identifying duplicates:

    SELECT     c.Name,
        c.Description,
        c.DomainName,
        c.OperatingSystem,
        c.Managed,
        c.Deleted,
        c.Connected,
        c.insertedat,
        c.DNSName,
        dbo.IPAddressText(c.IPAddress) AS IPAddress,
        c.MessageSystemAddress,
        g.Name
    FROM [SOPHOSxx].[dbo].[ComputersAndDeletedComputers] AS c
        INNER JOIN ComputerGroupMapping AS cgm ON cgm.ComputerID = c.ID
            INNER JOIN Groups AS g ON g.ID = cgm.GroupID
    WHERE c.Name IN(
        SELECT  c.Name
        FROM [SOPHOSxx].[dbo].[ComputersAndDeletedComputers] AS c
            WHERE Deleted = 0
        GROUP BY c.Name
        HAVING ( COUNT(c.Name) > 1)
        )
    ORDER BY c.Name

    Use the appropriate name for SOPHOSxx (e.g. SOPHOS45 for SEC 4.5)

    This should give you all computer names which appear (i.e. can be seen) more than once in SEC. These might be different (i.e. valid) computers which happen to have identical names or duplicates created because SEC couldn't match If you omit the WHERE Deleted = 0 the result will also contain those which have been manually deleted  (and some flagged as deleted by SEC when a "duplicate" was found - the logic has changed with the SEC versions).

    HTH

    Christian

    :23277
  • 0

    To extract a quick list of how many computers haven't reported for a while use:

    sqlcmd -E -S .\sophos -d sophos50 -Q "select name from computersanddeletedcomputers where managed=1 and lastmessagetime<'MM/DD/YYYY'" > C:\nonReportingComputerList.txt

     Change MM/DD/YYYY for a reasonable date (e.g., 01/31/2012 for computers that have stopped reported from 31st January).  Also change the 'sophos50' if you don't have Enterprise Console v.5.0.  To find out what the database name is see article 17323.

    You can safely play with the date and get comfortable with the number of computers returned.  Then, as suggested, use PurgeDB.exe with the -HistoryLengthInDays= option to clear dead endpoints out of the console.  Any computers that you purge, that then do just happen to report in, will pop back into the console.

    :23313
  • 0

    Or: click your main server name on the console (in our instance SophosAV), View: All computers. On the tab right under view select "Computer Details" -> scroll over to Last message time. Viola.

    :23315
  • 0

    Thanks for the help!  I'll try the sqlcmd out soon.  

    For viewing it in the console, I have the "Computer Details" tab, but I don't see a column for "Last Message Time."  Maybe it's my version of the console? (4.5).  

    :23319
  • 0

    The SQL command gave me just what I needed!  I had to change the .\sophos to the name of our SQL database, and change sopohs50 to sopohs45 to reflect our version of the console (hopefully upgrading soon, thouhg), but after that it worked.  Got a text file with all the results (over 100 since Jan 31!) that I can now compare to our asset database. 

    Thanks for the help! 

    :23331