This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos filling up client security logs

I have an issue where around 20% of my Sophos clients are logging security event 680 (successful log attempt) every 5 minutes or so from Sophos itself.  I am new to Sophos.

We do not want to disable logging, but I'm curious why this is happening so often.  The logs are filling up every week or so.

We are running Sophos Console 4.

Any ideas?

-John

:1930


This thread was automatically locked due to age.
Parents
  • Hello John,

    the 680 (and 528/538) events are generated for the SophosSAU<computername>0 user. The Sophos AutoUpdate Service logs on as LOCAL SYSTEM. This account can't access network resources (except null sessions). In order to download the updates the service logs on this local user (5 minutes seems to be your update interval).

    It looks like only 20% of your clients are auditing successful logon events.

    Christian

    :1946
Reply
  • Hello John,

    the 680 (and 528/538) events are generated for the SophosSAU<computername>0 user. The Sophos AutoUpdate Service logs on as LOCAL SYSTEM. This account can't access network resources (except null sessions). In order to download the updates the service logs on this local user (5 minutes seems to be your update interval).

    It looks like only 20% of your clients are auditing successful logon events.

    Christian

    :1946
Children
No Data