Security Heartbeat: Understanding

Hi Ben,

How did you know that your windows machines heartbeat turned red? in the XG dashboard? 

I suppose that reasons for red heartbeat are indicated already once you click the status on the dashboard.

Is this recurring until now? please attach screenshots if yes. 

Regards,

Rap

XLR8

Here is a screenshot, you can't click on the endpoints there is nothing to click. There is no explanation either in XG or Central as to why these endpoints are red.

Ben,

check Sophos Central Logs (if there are any) and check even XG from advanced shell:

tail -f /log/heartbeatd.log     

Also check if debugging is possible on the heatbeat service using the command:

service hearbeat:debug -dsnosync

Let us know.

Thanks

Thanks for posting Luk

Does this help at all?

Ben,

make sure to create a top firewall rule where these domains are allowed:

Below are the FQDNs if you need to create a rule

Luk

Forgive me but if this was a firewall rule problem, wouldn't all my PC's show as red? As it stands, half of my PC's are green?

Hi Ben,

I too have run into this issue numerous times, especially going from Standard to Advanced.  We have worked with Sophos support and identified an issue with the events.db file.  We have been able to fix this in 2 ways (YMMV):

1. Remove and reinstall the client.
2. Delete the events.db file.

To delete the events.db file, do the following:

1. Disable tamper protection.
2. Navigate to C:\ProgramData\Sophos\Health\Event Store\Database\ and delete/rename events.db.
3. Restart the Sophos Health Service and Heartbeat Service.

Thanks,

John

Hi Ben,

I too have run into this issue numerous times, especially going from Standard to Advanced.  We have worked with Sophos support and identified an issue with the events.db file.  We have been able to fix this in 2 ways (YMMV):

1. Remove and reinstall the client.
2. Delete the events.db file.

To delete the events.db file, do the following:

1. Disable tamper protection.
2. Navigate to C:\ProgramData\Sophos\Health\Event Store\Database\ and delete/rename events.db.
3. Restart the Sophos Health Service and Heartbeat Service.

Thanks,

John

Thanks Axsom1 that did the trick!

I had to do it slightly different to how you have listed. There was no need to reinstall but the following worked:

1. Disable tamper protection locally using TP password (turning it off via Central didn't do anything)

2. Stop heartbeat service in services.msc

3. End "Health.exe" in task manager (there is no option to stop this service in services.msc)

4. Rename C:\ProgramData\Sophos\Health\Event Store\Database\events.db

5. At this point there is no way to restart the Health service so i rebooted.

Immediately the Status of this PC turned green on the XG console!

Cheers