Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 3980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoints Not Reporting in - How can I be alerted

kwb313

New to Sophos - working on monitoring and reporting.  I have thousands of endpoints - how am I notified when endpoints stop reporting in for updates?  Is it possible to get Email notifications?

:52899


This thread was automatically locked due to age.
  • 0

    Hello kwb313,

    when endpoints stop reporting in for updates

    what exactly do you mean by that?

    As you are new, I'll try to give a few details why I hope will explain why I'm asking this: Apart from the actual AV component a managed endpoint also has the AutoUpdate (which downloads and installs updates) and RMS (Remote Management System - which sends status information, events and alerts to the console and receives policies and action requests from it) components installed.

    An endpoint going online tries to connect (logon) to the console, if connection succeeds it's considered Connected by SEC. When it's shut down properly RMS actively logs off and SEC considers the clients as Disconnected. The status in SEC might not be correct though in case of network errors and similar issues.

    Enter stop reporting. Naturally a switched-off endpoint will not report - but nor will an endpoint which experiences an issue with RMS. There's no way for SEC to tell these two situations apart. In the Dashboard under Protection only Connected endpoints are considered for reporting (and viewing) Out-of-date computers. An endpoint is considered as being out-of-date if either it is connected and sends a status message which indicates that its AV-package is not the one considered current or when it hasn't sent an updated status (whether connected or not) within a certain interval after a new package has become available.  

    In addition AutoUpdate notifies the console of download and update errors (these apply to all components though). 

    Usually only a part (the exact portion depends and can vary widely) of your endpoints will be connected and with thousands up to a few percent of them could be out-of-date even if everything is working smoothly. 

    SEC keeps track of the numbers of connected out-of-date computers and the computers with errors (but note that Errors comprises scanning, cleanup, device control and other errors as well) and lets you configure Warning and Critical levels as percentages. You can request that email alerts are sent when one of the levels is exceeded - i.e. it's assumed that the percentage subsequently falls below the threshold (either due to your actions or "by itself). Dashboard and Email are configured from the Tools menu.  

    HTH

    Christian 

    :52913