This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV Linux - Constant Emailing of old Errors

I had email issues from a linux server, and have since fixed it. Now Sophos is constantly sending old email alerts for errors that look like this:

An error classified as '0x3c: Unable to write to talpa socket' was detected in the file '/var/log/samba/log.smbd' when closing it at Tue Sep  4 15:26:31 2018 MDT -1300 (2018-09-04 21:26:31 UTC).  Access to the file was not allowed.

I have Excluded the directory to fix this error, but the emails just keep coming (100's and 100's)... can I clear out all email alerts and just have Sophos AV Linux start from now and forward? Why aren't these autoclearing?



This thread was automatically locked due to age.
Parents
  • Hello PsychoGTI ,

    100's and 100's
    then just one sample isn't telling much. Anyway, do they all have timestamps from the past? Does it appear to resend messages already sent?

    Why aren't these autoclearing?
    Please check the logs in /opt/sophos-av/log/smtp.log*, queued messages can be found in /opt/sophos-av/var/spool/. This should give some insight. Email notifications work quite plain and simple. Messages are enqueued in the /spool/ directory and once successfully sent they are deleted. AFAIK sending is retried when a new message arrives and probably at regular intervals.

    Christian   

  • Hi Christian,

    I don't think it is re-sending/re-generating emails that it's previously sent as there were 1956 emails generated in spool just for September 17th, but now there are only 2 for today, both are for updating the virus  manifest successfully... So the new exclude seems to be working.

    There is currently 187,000+ emails in the spool directory but it isn't growing. The logs show multiple emails being examined per second, for multiple dates in the past:

    08:21:48 (5508): Examining 2018-09-16.19-04-29.o3Amzi (on 5508)
    08:21:48 (5508): Retrying 2018-09-16.19-04-29.o3Amzi (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:48 (5508):  Success.
    08:21:48 (5508): Examining 2018-07-25.21-56-05.G5GIrT (on 5508)
    08:21:48 (5508): Retrying 2018-07-25.21-56-05.G5GIrT (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:48 (5508):  Success.
    08:21:48 (5508): Examining 2018-08-13.02-09-51.S2KCNd (on 5508)
    08:21:48 (5508): Retrying 2018-08-13.02-09-51.S2KCNd (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.
    08:21:49 (5508): Examining 2018-07-09.13-39-52.NV4D10 (on 5508)
    08:21:49 (5508): Retrying 2018-07-09.13-39-52.NV4D10 (on 5508)
    08:21:49 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.
    08:21:49 (5508): Examining 2018-08-19.20-08-08.Ve25aZ (on 5508)
    08:21:49 (5508): Retrying 2018-08-19.20-08-08.Ve25aZ (on 5508)
    08:21:49 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.

    I'm assuming if I clear out the spool directory, this will all stop....

Reply
  • Hi Christian,

    I don't think it is re-sending/re-generating emails that it's previously sent as there were 1956 emails generated in spool just for September 17th, but now there are only 2 for today, both are for updating the virus  manifest successfully... So the new exclude seems to be working.

    There is currently 187,000+ emails in the spool directory but it isn't growing. The logs show multiple emails being examined per second, for multiple dates in the past:

    08:21:48 (5508): Examining 2018-09-16.19-04-29.o3Amzi (on 5508)
    08:21:48 (5508): Retrying 2018-09-16.19-04-29.o3Amzi (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:48 (5508):  Success.
    08:21:48 (5508): Examining 2018-07-25.21-56-05.G5GIrT (on 5508)
    08:21:48 (5508): Retrying 2018-07-25.21-56-05.G5GIrT (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:48 (5508):  Success.
    08:21:48 (5508): Examining 2018-08-13.02-09-51.S2KCNd (on 5508)
    08:21:48 (5508): Retrying 2018-08-13.02-09-51.S2KCNd (on 5508)
    08:21:48 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.
    08:21:49 (5508): Examining 2018-07-09.13-39-52.NV4D10 (on 5508)
    08:21:49 (5508): Retrying 2018-07-09.13-39-52.NV4D10 (on 5508)
    08:21:49 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.
    08:21:49 (5508): Examining 2018-08-19.20-08-08.Ve25aZ (on 5508)
    08:21:49 (5508): Retrying 2018-08-19.20-08-08.Ve25aZ (on 5508)
    08:21:49 (5508): Emailing root@localhost via localhost:25
    08:21:49 (5508):  Success.

    I'm assuming if I clear out the spool directory, this will all stop....

Children