Is there a way to check the Sophos Central server registration stats from the Linux command line?

I'm trying to troubleshoot some issues I've sen with some AWS servers with auto-scaling groups where some images do not show up in Sophos Central. The way it was originally setup was to uninstall and re-install SAV when the auto-scaled instance boots up. I found the KB article for creating a gold image (https://community.sophos.com/kb/en-us/133268) and so, as a process of creating the AMI, I'll run the de-register command. I'd like to set up a script which can be deployed to all of these servers to check whether they are registered with Sophos Central. I've checked the SDU and registerMCS command help output but it didn't look like there were any options just to check whether it's registered.

  • Hi Robert,

     The best and only way I found where this can be possible is to check data for MCSID of the Linux server in the file /opt/sophos-av/etc/sophosav/mcs.config.  Here's an example output:

    [root@CentOS sophos-av]# cat /opt/sophos-av/etc/sophosav/mcs.config
    MCSPassword=-----------
    MCSID=a4e6eb0d-ee65-b4fb-2a13-59fdf68a0e3e
    MCS_saved_token=695ab----------------01e2
    current_relay_id=None

    [root@CentOS engine]# ./register-sophos-cloud --deregister
    Stopping running sav-rms service
    Stopping Sophos Management Agent: [ OK ]
    Deregistering from Sophos Central


    [root@CentOS engine]# cat /opt/sophos-av/etc/sophosav/mcs.config
    MCSPassword=
    MCSID=reregister
    MCS_saved_token=695ab----------------01e2
    current_relay_id=None

     

    The MCSID is the identifier of the machine as shown in the screenshot below.  No machines should have the same identifier and if the identifier is in reregister, it will attempt to generate one on next restart.

  • In reply to SJaramillo:

    Thanks for the response. I have seen the MCSID but I'm not sure of any way to write a script which can easily check the status that way. The summary page doesn't clearly give any status in the source that I can see. I can see some pages that get loaded which return a 404 if I put in an incorrect MCSID, but they return a 401 if you try to access them directly.

  • In reply to Robert Eves:

    Hi Robert,

    You can create a script that runs the below commands and checks if there is a result:

    cat /opt/sophos-av/etc/sophosav/mcs.config | grep MCSID=reregister

    cat /opt/sophos-av/etc/sophosav/mcs.config | grep MCSID={LinuxGoldImageMCSID}

    If there's no result from the above command then the machines have successfully registered to Sophos Central.  If the any machines other than the Linux gold image give back a result then there is an issue with its re-registration.

  • In reply to SJaramillo:

    The problem was that there were some autoscaled AWS instances showing up in Sophos Central which later disappeared. I'm not sure what the MCSID was at the time, or if it was even there. At the time also, the startup scripts for the autoscaled instances was uninstalling and re-installing Sophos on the server. This may have caused some issues with the timing when the installed client tried to startup. Perhaps de-registering the gold image with resolve that issue as well.

    I suppose I'll use what you suggest for verifying registration and see what the MCSID file looks like if I notice another server disappear. Thanks for your help!

  • In reply to SJaramillo:

    I went back and checked the SDU file for a server on which this happened. The MCSID was populated. We have another server which is not an auto-scaled instance now having the same problem. This was after support was looking into a different issue, though, so it may not be the same root cause as the first issue. It would be nice to have a way of detecting this.

  • In reply to Robert Eves:

    Hi Robert,

    Is the issue that you have Linux servers disappearing in Sophos Central yet also have their MCSID populated?  If you copy and paste this MCSID into Central does this direct you to another Linux server?  If so can you check this server to see if they have identical MCSIDs?

  • In reply to SJaramillo:

    We're actually seeing the issue where MCSID is populated, but pasting it into the URL redirectes to another server.
    What's the best way forward for this issue? Will we need to deregister and restart to resolve?

  • In reply to Richard Gallon:

    Hi Richard,

    That usually happens when a machine is cloned with Sophos Anti-virus is already on the machine.  Sophos Anti-virus creates an MCSID upon installation and will share the same ID if not re-registered.  The MCSID is generated based on the name of the computer at the time of registration.

    To re-register your Linux server so it gets a new MCSID, simply run the migration command line provided in Sophos Central on the machine.  I've attached a screenshot of where you can find this.

     

    Sophos Central Admin > Server Protection > Protect Devices > Show command line