Missing Logs from the API endpoint

Hi,

We continuously query Sophos Central API endpoints for alerts, events on a 5 minute basis.

We've noticed that there are missing logs every day.

The next cursor that is returned in every response is used in the next request to query for new data.

But at the end of the day, when i query for events for the entire day using start date instead of next cursor, all of the logs seem to be there.

So, it seems a case of events sneaking in after the response is returned by the API somehow.

Could someone please let us know if anything is missing in the way we query for data ?

Thank you

Ravi

Top Replies

RichardP over 5 years ago in reply to Ravi Polepeddi +1

The API is differential. If you have gotten a record down in a previous request it won't return that record again.

Are you seeing only new data in the 5 min intervals and the 'missing' data is the stuff from the previous requests?
Jump to answer

0 RichardP over 5 years ago in reply to Ravi Polepeddi

Not as of yet, I will chase for you.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ravi Polepeddi over 5 years ago in reply to RichardP

Yes please. Thank you
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ravi Polepeddi over 5 years ago in reply to Ravi Polepeddi

Hi Richard. Any progress on this yet please ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RichardP over 5 years ago in reply to Ravi Polepeddi

Not at this time. Apologies.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RichardP over 5 years ago in reply to RichardP

FYI: the development team is looking at this.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RichardP over 5 years ago in reply to RichardP

I got the following statement back from development:

Variance in events data retrieved stems from the different time recorded for the event generation vs event ingestion. For example, an endpoint could generate an event, but not send it due to various scenarios (endpoint is offline, bandwidth, etc.). Events are retrieved based on the ingestion time both for UI and API, thus an event generated earlier may appear later in the list.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ravi Polepeddi over 5 years ago in reply to RichardP

Hi Richard. Could you confirm this ? when has_more is False in a response, that cursor needs to be used again and again until the log count touches 200 which is the default number of logs sent. At the same time, there is the next cursor that needs to be used as well. Does this mean that we have to store the previous cursor which has less than 200 logs and the next cursor ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ravi Polepeddi over 5 years ago in reply to Ravi Polepeddi

Currently, where there is a nextCursor value supplied, we discard/ignore has_more value and always use the nextCursor to get the next batch of logs. But it seems to be as long as the cursor's log count is not 200, you cannot discard it. Is this right ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ravi Polepeddi over 5 years ago in reply to Ravi Polepeddi

Hi Richard. Could you also let us know why we are not able to see the Sophos Intercept X Logs at all using the above API ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel