Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 9067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Log Writer - Finding out of date machines

maps443

I am looking to use the Sophos Log Writer and Splunk to alert our support teams to machines that are not “up to date” so they can be investigated.

I know how to edit the SophosLogWriterConfig.xml to call different data sources, but can’’’’t see a .config file that contains the “Up to Date” or “Last Message Received” information.

Is this possible with the Log Writer? I can see references to a ComputerControl.config file in other community posts, but I don’’’’t seem to have this.

Ultimately, we just want to identify any machines that may have a client issue, so happy to use another field if there is something more appropriate?

Thanks for any advice!

:54327


This thread was automatically locked due to age.
  • 0

    Just in case anyone else is interested, I have logged this with Sophos.

    I think you can get this kind of info from the Reporting Interface, but I suspect the Log Writer only works with events rather than host info, and a machine turning from up-to-date to not-up-to-date is not considered an event.

    I'll confirm if/when I get clarification from Sophos support. Depending on your needs, it could be something to consider when planning your reporting set-up (especially before spending money on Splunk or some such).

    :54475
  • 0

    Just to add that Sophos have confirmed this is not possible.

    A feature request has been raised for the Log Writer (though it would probably have been better to ask for a built-in "out of date" report), but a potential solution would be the Reporting Interface with some kind of DB query tool.

    Does anyone use any free tools for this? I know Crystal Reports is a paid option.

    :54477
  • 0

    The console ships with the "reporting interface", effectively a set of views to support (most) point-in-time reporting needs.

    Easy enough to achieve in Excel with a database connection to your SESC Console (refer sample queries below) and some pivot tables / charts. I'm sure there are more elegant ways to achieve, but it works.

    n-10 most recent SAV Versions (Windows):

    SELECT DISTINCT TOP (10) PackageID, Product, SAVVersion
    FROM SOPHOS521.[Sophos Reporting Interface].vPackageData
    WHERE RIGHT(product,2)='XP' AND NotificationTime IS NOT NULL
    GROUP BY PackageID, SAVVersion, Product
    ORDER BY PackageID DESC

    Endpoint details:

    SELECT c.Name AS [Computer Name],
    c.Domain AS [Domain Name],
    ISNULL(c.IPAddress,N'') AS [IP],
    ISNULL(c.LastMessageReceivedTime,N'') AS [LastRMSMessageTime],
    g.PathAndName AS [SEC Group],
    ISNULL(p.SAVVersion,N'') AS [SAV Version],
    ISNULL(p.VirusDataVersion,N'') AS [SAV Virus Data Version],
    ISNULL(p.EngineVersion,N'') AS [SAV Engine Version]
    FROM [SOPHOS521].[Sophos Reporting Interface].[vComputerHostData] AS c
    LEFT OUTER JOIN [SOPHOS521].[Sophos Reporting Interface].[vComputerPackageMapping] AS cpm
    ON cpm.ComputerID = c.ComputerID
    LEFT OUTER JOIN [SOPHOS521].[Sophos Reporting Interface].[vPackageData] AS p
    ON p.PackageID = cpm.PackageID
    LEFT OUTER JOIN [SOPHOS521].[Sophos Reporting Interface].[vComputerGroupMapping] AS cgm
    ON cgm.ComputerID = c.ComputerID
    LEFT OUTER JOIN [SOPHOS521].[Sophos Reporting Interface].vGroupPathAndNameData AS g
    ON g.GroupID = cgm.GroupID
    ORDER BY c.Name ASC

    Note: You'll neeed to update the database name for your current version.

    --UPDATE-- this actually should be moved to the Reporting Interface discussion

    :55044