Dear community
I've been struggling with the fact, that if there has happened an Incident on a VM which is protected by a SSVM there was no Information in Sophos Central in which VM this Incident really happened. Sophos Central reports the Incident to have happened on the corresponding SSVM. If this SSVM covers for example 30 virtual Machine, you have no additional information on which of those 30 VMs this incident really happened.
Now, after some investigating here is the solution:
To find out, on which Machine the Incident really happend, you need to go to the Console of the corresponding SSVM. The relevant informations you'll find in the file sophosmgmtd.log:
sophos@ssvm-02:/$ sudo cat /opt/sophos-av/log/sophosav/sophosmgmtd.log | grep Administrator\Desktop\
2017-04-03 09:34:08,680 INFO sophosmgmtd.adapters.AVAdapter: Reporting threat EICAR-AV-Test detected at server01 (x.x.x.x)/C:\Users\Administrator\Desktop\test.bat (canCleanup=True, rebootRequired=False, finalResult=6, action=116) with <?xml version="1.0" encoding="utf-8"?><notification description="Found 'EICAR-AV-Test' in "server01 (x.x.x.x)/C:\Users\Administrator\Desktop\test.bat"" timestamp="20170403 093408" type="sophos.mgt.msg.event.threat" xmlns="www.sophos.com/.../Event"><user domain="local" userId="root"/><threat id="Te96e4035bd296eb868ce3c32dcb467e3" idSource="Tmd5(dis,vName,path)" name="EICAR-AV-Test" scanType="201" status="300" type="1"><item file="C:\Users\Administrator\Desktop\test.bat" path="server01 (x.x.x.x)/"/>
<action action="116"/></threat></notification>
Does maybe anybody know, whether there is a more comfortable way to find out on which VM an Incident happened?
This thread was automatically locked due to age.
