Huge folder sophos\endpoint defense\data\event journals\sophosED

Checking disk space consumers on our windows servers we see that Sophos folder is huge on them:

%programdata%\sophos\endpoint defense\data\event journals\sophosED

Some of the subfolders contain tenthousands of files (e.g. Dns or FileBinaryChanges sub-folder) , some folders contain files, that are more than 2 years old.

Who is doing the housekeeping here? That mess slows down backups and other tasks.

one server:

other server:



Edited TAGs
[edited by: Gladys at 3:19 PM (GMT -8) on 19 Jan 2023]
Parents Reply Children
  • Event Journal configuration is now there in our Central Settings:

    It can only control size, not max number of files or retention time.

    The documentation* writes, there is a default of 90 days retention. As we can see from here, several folders store data for multiple years or more likely never delete old files and store files from the beginning of the Intercept-X installation on. Probably someone forgot to program that feature for every sub folder.

    * = We store event journals on your managed Windows devices. They record activity on your devices, and you can query them with Live Discover "Endpoint" queries in the Threat Analysis Center. See Live Discover. By default, we store 90 days of activity.

  • Answer from Support was:

    The age of data is not relevant. It's all down to the disk space. It could contain data for years, or weeks. It all depends how much data is being written to the Event Journals. The 90 days is based on typical usage/data being written to the Journals - doesn't mean it's the same for every device though.
    As per the notification with the new release for the Event Journal, the default size is 5250 MB. It doesn't matter how old the data is as long as it doesn't breach that limit.

    For me it means, that now with the new feature in Central, the solution to remove old files on all servers once is to temporarily lower the disk space from 5250 MB to something low. And then raise it again. One would need to test this really deletes the files accross all folders (like the Dns folder), not only the ones that already seem have a working file retention enabled by now. It that works, this would need to be done every now and then.