Checking disk space consumers on our windows servers we see that Sophos folder is huge on them:
%programdata%\sophos\endpoint defense\data\event journals\sophosED
Some of the subfolders contain tenthousands of files (e.g. Dns or FileBinaryChanges sub-folder) , some folders contain files, that are more than 2 years old.
Who is doing the housekeeping here? That mess slows down backups and other tasks.
one server:
other server:
SEDService.exe ("Sophos Endpoint Defense Service") performs the housekeeping of these files and runs every 4 or 5 mins to perform this task. It compresses the current .bin file to .xz for example and keeps the size of each journal under the max size which are defined here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects
You can see the max size of each journal subject and if you total up all the values:
Name Property---- --------DirectoryChanges MaxDiskUsageMB : 219Dns MaxDiskUsageMB : 219FileBinaryChanges MaxDiskUsageMB : 437FileBinaryReads MaxDiskUsageMB : 437FileDataChanges MaxDiskUsageMB : 219FileDataReads MaxDiskUsageMB : 219FileHashes MaxDiskUsageMB : 219FileOtherChanges MaxDiskUsageMB : 219FileOtherReads MaxDiskUsageMB : 219FileProperties MaxDiskUsageMB : 219Http MaxDiskUsageMB : 219Image MaxDiskUsageMB : 219Ip MaxDiskUsageMB : 219Network MaxDiskUsageMB : 219Process MaxDiskUsageMB : 437ProcessProperties MaxDiskUsageMB : 219Registry MaxDiskUsageMB : 219System MaxDiskUsageMB : 219Thread MaxDiskUsageMB : 219Url MaxDiskUsageMB : 219WinSec MaxDiskUsageMB : 21918*219 + 3*437 = 3942+1311= 5253 MB.---
In Central you could half this size, e.g.
To:
Once the policy arrives at the client:C:\ProgramData\Sophos\Management Communications System\Endpoint\Cache\CORC37.policy <eventJournalSizeLimit>2625</eventJournalSizeLimit>The registry values are changed to:Name Property---- --------DirectoryChanges MaxDiskUsageMB : 109Dns MaxDiskUsageMB : 109FileBinaryChanges MaxDiskUsageMB : 219FileBinaryReads MaxDiskUsageMB : 219FileDataChanges MaxDiskUsageMB : 109FileDataReads MaxDiskUsageMB : 109FileHashes MaxDiskUsageMB : 109FileOtherChanges MaxDiskUsageMB : 109FileOtherReads MaxDiskUsageMB : 109FileProperties MaxDiskUsageMB : 109Http MaxDiskUsageMB : 109Image MaxDiskUsageMB : 109Ip MaxDiskUsageMB : 109Network MaxDiskUsageMB : 109Process MaxDiskUsageMB : 219ProcessProperties MaxDiskUsageMB : 109Registry MaxDiskUsageMB : 109System MaxDiskUsageMB : 109Thread MaxDiskUsageMB : 109Url MaxDiskUsageMB : 109WinSec MaxDiskUsageMB : 109Next time SEDService.exe carries out its work, the max size per subject should be met.
cool - thank you for that detailled information. as always very good input from you 930!
So we could work around with lowering eventJournalSizeLimit to something and raise it up after one or two days.
a perfect combination would be an option in Central to set the number of days to keep for the Event Journals besides the max amount of disk space consumed.
Yes, it could be there was some event that caused a lot of data to be journaled, reducing the size to purge the journals and then increasing it again should work. It will be destructive but could be done if needed to save space.