Sophos enterprise console managed clients communication issues

Hello Asankag,

online or offline
or rather Connected and Disconnected. The Connected status is shown when the endpoint's RMS establishes a connection with the management server. The status is changed to Disconnected when the connection is orderly shut down from the endpoint's side. This is the case when the Sophos Message Router service is stopped. The status remains Connected when the service crashes or the physical path is disrupted (e.g. network cable unplugged).
doesn't show events
An endpoint can be Connected but fail (for whatever reason) to send its status or Alerts and Events. If it does send its status it should send Events as well. Same as policy is only significant if it recently showed some other status. Up to date would be be the more or less conclusive (as you can expect new updates every few hours) value under the Status tab, and the Last message time under the Computer Details tab is updated when the endpoint actually sends one of the mentioned messages.

How did you find out that they don't report all the data, is it indeed not all or no data at all?

Christian

Hi Cristian.

Thanks for the reply. We have deployed a DLP policy to these client pc's and its working as expected. documents which is transferred to external devices are getting blocked and its getting logged on the client DLP log as well. But on the SEC under DLP event nothing shows. what is the best way to confirm SEC and client communication works fine except for telnet ports (Because I have already done it. yet, I suspect that some thing is wrong with the client-server communication). will I able to check it with "wireshark" ?

Regards and many thanks.

Hello Asankag ,

under DLP event
you mean Events → Data Control Events ..., right? And it's empty regardless of the Search period you select? Also when you select an endpoint and View Computer Details there are no entries  under Latest data control events? Your policy is set to unconditionally block transfers?

Christian

Hello Asankag ,

under DLP event
you mean Events → Data Control Events ..., right? And it's empty regardless of the Search period you select? Also when you select an endpoint and View Computer Details there are no entries  under Latest data control events? Your policy is set to unconditionally block transfers?

Christian

Dear Cristian,

Thanks for the reply and Yes, you are 100% correct. No event data at all except for in DLP log file on the client PC. This is how my policy is set. Check the documents whether they contain word "PASSWORD" and if they are transferred to external devices then it should be blocked. The policy is working fine and its working as expected. (except it reporting to the console :) )

Regards

Hello Asankag,

apart from being logged in the Data Control log the event should cause the following:

• an entry like SAV event observer received an event: [...] description="A "block transfer" action was taken. [...] appears in the Agent log (%ProgramData%\Sophos\Remote Management System\3\Agent\Logs\)
• in the Router log (%ProgramData%\Sophos\Remote Management System\3\Router\Logs\) a corresponding message is logged
  Routing to parent: id=00112233, origin=Router$endpoint:12345.Agent, dest=EM, type=EM-EntityEvent
  Sent message (id=00112233) to Router$SEC-server

If the Sent message does not appear then the Router can't send the message to the management server for whatever reason. In that case there should be one or more .msg files in the ...\Router\Envelopes\ folder. The Router log should show communication issues, as the relevant entries could be "farther up" I'd normally restart the Message Router service (assuming the problem is "hard" this will result in the same errors to be logged) - but this might not be feasible in your situation (VPN).

Christian