Huge folder sophos\endpoint defense\data\event journals\sophosED

Checking disk space consumers on our windows servers we see that Sophos folder is huge on them:

%programdata%\sophos\endpoint defense\data\event journals\sophosED

Some of the subfolders contain tenthousands of files (e.g. Dns or FileBinaryChanges sub-folder) , some folders contain files, that are more than 2 years old.

Who is doing the housekeeping here? That mess slows down backups and other tasks.

one server:

other server:



Edited TAGs
[edited by: Gladys at 3:19 PM (GMT -8) on 19 Jan 2023]
Parents
  • SEDService.exe ("Sophos Endpoint Defense Service") performs the housekeeping of these files and runs every 4 or 5 mins to perform this task. It compresses the current .bin file to .xz for example and keeps the size of each journal under the max size which are defined here:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects

    You can see the max size of each journal subject and if you total up all the values:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 219
    Dns MaxDiskUsageMB : 219
    FileBinaryChanges MaxDiskUsageMB : 437
    FileBinaryReads MaxDiskUsageMB : 437
    FileDataChanges MaxDiskUsageMB : 219
    FileDataReads MaxDiskUsageMB : 219
    FileHashes MaxDiskUsageMB : 219
    FileOtherChanges MaxDiskUsageMB : 219
    FileOtherReads MaxDiskUsageMB : 219
    FileProperties MaxDiskUsageMB : 219
    Http MaxDiskUsageMB : 219
    Image MaxDiskUsageMB : 219
    Ip MaxDiskUsageMB : 219
    Network MaxDiskUsageMB : 219
    Process MaxDiskUsageMB : 437
    ProcessProperties MaxDiskUsageMB : 219
    Registry MaxDiskUsageMB : 219
    System MaxDiskUsageMB : 219
    Thread MaxDiskUsageMB : 219
    Url MaxDiskUsageMB : 219
    WinSec MaxDiskUsageMB : 219

    18*219 + 3*437 =  3942+1311= 5253 MB.

    ---

    In Central you could half this size, e.g.

    To:



    Once the policy arrives at the client:

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Cache\CORC37.policy
      <eventJournalSizeLimit>2625</eventJournalSizeLimit>

    The registry values are changed to:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 109
    Dns MaxDiskUsageMB : 109
    FileBinaryChanges MaxDiskUsageMB : 219
    FileBinaryReads MaxDiskUsageMB : 219
    FileDataChanges MaxDiskUsageMB : 109
    FileDataReads MaxDiskUsageMB : 109
    FileHashes MaxDiskUsageMB : 109
    FileOtherChanges MaxDiskUsageMB : 109
    FileOtherReads MaxDiskUsageMB : 109
    FileProperties MaxDiskUsageMB : 109
    Http MaxDiskUsageMB : 109
    Image MaxDiskUsageMB : 109
    Ip MaxDiskUsageMB : 109
    Network MaxDiskUsageMB : 109
    Process MaxDiskUsageMB : 219
    ProcessProperties MaxDiskUsageMB : 109
    Registry MaxDiskUsageMB : 109
    System MaxDiskUsageMB : 109
    Thread MaxDiskUsageMB : 109
    Url MaxDiskUsageMB : 109
    WinSec MaxDiskUsageMB : 109

    Next time SEDService.exe carries out its work, the max size per subject should be met.

Reply
  • SEDService.exe ("Sophos Endpoint Defense Service") performs the housekeeping of these files and runs every 4 or 5 mins to perform this task. It compresses the current .bin file to .xz for example and keeps the size of each journal under the max size which are defined here:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects

    You can see the max size of each journal subject and if you total up all the values:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 219
    Dns MaxDiskUsageMB : 219
    FileBinaryChanges MaxDiskUsageMB : 437
    FileBinaryReads MaxDiskUsageMB : 437
    FileDataChanges MaxDiskUsageMB : 219
    FileDataReads MaxDiskUsageMB : 219
    FileHashes MaxDiskUsageMB : 219
    FileOtherChanges MaxDiskUsageMB : 219
    FileOtherReads MaxDiskUsageMB : 219
    FileProperties MaxDiskUsageMB : 219
    Http MaxDiskUsageMB : 219
    Image MaxDiskUsageMB : 219
    Ip MaxDiskUsageMB : 219
    Network MaxDiskUsageMB : 219
    Process MaxDiskUsageMB : 437
    ProcessProperties MaxDiskUsageMB : 219
    Registry MaxDiskUsageMB : 219
    System MaxDiskUsageMB : 219
    Thread MaxDiskUsageMB : 219
    Url MaxDiskUsageMB : 219
    WinSec MaxDiskUsageMB : 219

    18*219 + 3*437 =  3942+1311= 5253 MB.

    ---

    In Central you could half this size, e.g.

    To:



    Once the policy arrives at the client:

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Cache\CORC37.policy
      <eventJournalSizeLimit>2625</eventJournalSizeLimit>

    The registry values are changed to:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 109
    Dns MaxDiskUsageMB : 109
    FileBinaryChanges MaxDiskUsageMB : 219
    FileBinaryReads MaxDiskUsageMB : 219
    FileDataChanges MaxDiskUsageMB : 109
    FileDataReads MaxDiskUsageMB : 109
    FileHashes MaxDiskUsageMB : 109
    FileOtherChanges MaxDiskUsageMB : 109
    FileOtherReads MaxDiskUsageMB : 109
    FileProperties MaxDiskUsageMB : 109
    Http MaxDiskUsageMB : 109
    Image MaxDiskUsageMB : 109
    Ip MaxDiskUsageMB : 109
    Network MaxDiskUsageMB : 109
    Process MaxDiskUsageMB : 219
    ProcessProperties MaxDiskUsageMB : 109
    Registry MaxDiskUsageMB : 109
    System MaxDiskUsageMB : 109
    Thread MaxDiskUsageMB : 109
    Url MaxDiskUsageMB : 109
    WinSec MaxDiskUsageMB : 109

    Next time SEDService.exe carries out its work, the max size per subject should be met.

Children