Huge folder sophos\endpoint defense\data\event journals\sophosED

Checking disk space consumers on our windows servers we see that Sophos folder is huge on them:

%programdata%\sophos\endpoint defense\data\event journals\sophosED

Some of the subfolders contain tenthousands of files (e.g. Dns or FileBinaryChanges sub-folder) , some folders contain files, that are more than 2 years old.

Who is doing the housekeeping here? That mess slows down backups and other tasks.

one server:

other server:



Edited TAGs
[edited by: Gladys at 3:19 PM (GMT -8) on 19 Jan 2023]
Parents
  • SEDService.exe ("Sophos Endpoint Defense Service") performs the housekeeping of these files and runs every 4 or 5 mins to perform this task. It compresses the current .bin file to .xz for example and keeps the size of each journal under the max size which are defined here:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects

    You can see the max size of each journal subject and if you total up all the values:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 219
    Dns MaxDiskUsageMB : 219
    FileBinaryChanges MaxDiskUsageMB : 437
    FileBinaryReads MaxDiskUsageMB : 437
    FileDataChanges MaxDiskUsageMB : 219
    FileDataReads MaxDiskUsageMB : 219
    FileHashes MaxDiskUsageMB : 219
    FileOtherChanges MaxDiskUsageMB : 219
    FileOtherReads MaxDiskUsageMB : 219
    FileProperties MaxDiskUsageMB : 219
    Http MaxDiskUsageMB : 219
    Image MaxDiskUsageMB : 219
    Ip MaxDiskUsageMB : 219
    Network MaxDiskUsageMB : 219
    Process MaxDiskUsageMB : 437
    ProcessProperties MaxDiskUsageMB : 219
    Registry MaxDiskUsageMB : 219
    System MaxDiskUsageMB : 219
    Thread MaxDiskUsageMB : 219
    Url MaxDiskUsageMB : 219
    WinSec MaxDiskUsageMB : 219

    18*219 + 3*437 =  3942+1311= 5253 MB.

    ---

    In Central you could half this size, e.g.

    To:



    Once the policy arrives at the client:

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Cache\CORC37.policy
      <eventJournalSizeLimit>2625</eventJournalSizeLimit>

    The registry values are changed to:

    Name Property
    ---- --------
    DirectoryChanges MaxDiskUsageMB : 109
    Dns MaxDiskUsageMB : 109
    FileBinaryChanges MaxDiskUsageMB : 219
    FileBinaryReads MaxDiskUsageMB : 219
    FileDataChanges MaxDiskUsageMB : 109
    FileDataReads MaxDiskUsageMB : 109
    FileHashes MaxDiskUsageMB : 109
    FileOtherChanges MaxDiskUsageMB : 109
    FileOtherReads MaxDiskUsageMB : 109
    FileProperties MaxDiskUsageMB : 109
    Http MaxDiskUsageMB : 109
    Image MaxDiskUsageMB : 109
    Ip MaxDiskUsageMB : 109
    Network MaxDiskUsageMB : 109
    Process MaxDiskUsageMB : 219
    ProcessProperties MaxDiskUsageMB : 109
    Registry MaxDiskUsageMB : 109
    System MaxDiskUsageMB : 109
    Thread MaxDiskUsageMB : 109
    Url MaxDiskUsageMB : 109
    WinSec MaxDiskUsageMB : 109

    Next time SEDService.exe carries out its work, the max size per subject should be met.

  • cool - thank you for that detailled information. as always very good input from you 930!

    So we could work around with lowering eventJournalSizeLimit  to something and raise it up after one or two days.


    a perfect combination would be an option in Central to set the number of days to keep for the Event Journals besides the max amount of disk space consumed.

Reply Children