Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 3158 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alerting (or logging) if SEP is installed or uninstalled.

deaton

I am interested in logging whenever one of our system admins installs or removes SEP on a client machine (or whenever a new machine is joined/moved/removed in SEC). 

I'm aware of the Sophos Reporting Interface - and I use it to send Sophos logs to Graylog for central collection. But the SRI logging seems fairly limited - it doesn't seem to log when a new machine shows up or disappears in the Console, or is moved to a different group... so I wanted to double check: it's not capable of this level of logging, is it?

My 2nd choice would be to get email alerts whenever a computer is moved, added, removed... but SEC doesn't seem to have options for this, does it?

If anyone can confirm, or has other ideas for accomplishing this it would be appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    Hello DennisSeaton,

    sorry for the late reply (and I'm not Sophos anyway).
    One easy answer first: An endpoint does not send an alert that one of the components is about to be uninstalled (in theory it would be possible but ...). From SEC's POV the endpoint just disconnects (if it hasn't done so already) - therefore a computer also wouldn't disappear.
    Another easy one: email whenever a computer is added is (can be) sent (but only) for those added by AD sync.

    moved
    If moved by a console user then the action (like a number of others) can be recorded with the console's Auditing feature (although it does not provide a real-time alert). Can't say if auditing also includes events not initiated by a console user - doesn't look like from the screenshots.

    Christian

Reply
  • 0

    Hello DennisSeaton,

    sorry for the late reply (and I'm not Sophos anyway).
    One easy answer first: An endpoint does not send an alert that one of the components is about to be uninstalled (in theory it would be possible but ...). From SEC's POV the endpoint just disconnects (if it hasn't done so already) - therefore a computer also wouldn't disappear.
    Another easy one: email whenever a computer is added is (can be) sent (but only) for those added by AD sync.

    moved
    If moved by a console user then the action (like a number of others) can be recorded with the console's Auditing feature (although it does not provide a real-time alert). Can't say if auditing also includes events not initiated by a console user - doesn't look like from the screenshots.

    Christian

Children
No Data
Unfiltered HTML