This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort service not starting after using Sophos central migration tool.

Hi everyone,

We have been migrating Windows PC's from Enterprise Console over to Sophos Central. Sophos is installing on the PC's however it we see that the error: Not started: Sophos Snort when the PC appears in Sophos Central.

We have rebooted the endpoints and it still appears. Has anyone else experienced this?

Are we mising a step in the migration dance?

Thanks,

John.



This thread was automatically locked due to age.
  • Hi John,

    Thank you for reaching us regarding this error you're getting. have you tried rebooting the device after migration. The said issue has been seen on this Community post. If the issue persists after restart please let us know and upload the SDU logs over this post 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi,

    Thanks but as I said in the original post we've tried restarting the endpoints but they still show the Snort service error. I've run SDU on one of the workstations showing the error but I cant see how to attach the SDU logs, we are a secure company and so do not store files in the cloud so I cannot link to the files.

    John

  • I'e just noticed how to attach the SDU logs, sorry.

  • "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" is the Sophos Network Threat Protection Service. This service, when IPS is enabled in policy, launches the SophosIPS.exe process.  The command line would be something like the following:

    "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe" -c "C:\Program Files\Sophos\Sophos Network Threat Protection\IPS Configuration\sophosips.conf" -Q -S "IPS_CODE_PATH=C:\Program Files\Sophos\Sophos Network Threat Protection" -S "IPS_DATA_PATH=C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS"

    So the logs:
    SntpService.log and SophosIPS.log under: 
    C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\
    would be worth checking.

    I assume the SophosIPS.exe process maybe starts and exits when it should continue to run as a child of the service?

    Maybe if you run Process Monitor, you can see the Exit code of the process?