Server Event Logs and Lockdown Logs


I'm using Sophos Central on premises, just FYI. I have a question regarding Server Protection information: Where is it all? There's a wealth of reports and logs for all the Sophos Endpoints but the Server reports and logs seem lacking in comparison. To make matters worse, the Server Protection logs don't seem able to separate servers from the endpoint devices/users.

I'm testing server lock-down in preparation to use on other servers. Having locked the server, I cannot find a single line of info anywhere on the actual lock-down event eg. when it started and finished and any details as to the process. The event log for the server doesn't even register the lock-down! The lock-down events in Sophos Central only displays 24hrs. I tried looking through the actual log files found in ProgramData\Sophos, maybe I just missed it? Can anyone point me to more info? 


  • Hi  

    Reports of Security features in Sophos central server can be found under logs and reports tab. For more information on reports, kindly refer to this link. Furthermore, for server lockdown events,it will be generated at a random time within the next 24 hour period. For more details about lockdown events please check following link. 

  • In reply to Shweta:

    While I appreciate both the time/effort taken to reply and the need to create pointers to the documentation for the software, your reply failed to address my questions in any meaningful way. The documentation for the software does not contain answers to my questions, hence why I've gone to the effort to post on the community forum. I'm happy to acknowledge there's always the chance I've some how missed the answer so I followed the links and re-examined the documentation. No answers to my specific questions there.

    I've spent 3 weeks or so now researching and combing through available documentation, forums and anything I could dig up regarding the relevant Sophos products and the overall lack of specific detail has been frustrating. I find myself repeating the loop you've just created through your reply ie. finding a relevant question with a reply that refers to the documentation which has general information but does not actually answer the specific question. I'd certainly appreciate a more straight answer like "There are no logs available for the actual server lockdown event itself" or "because of the nature of a cloud based solution, there is a limit to the information we can provide about your systems that are using our product". Anything that actually acknowledges the questions I asked would go over better then the generic response provided. 

  • In reply to Kramarite:

    Hi Kramarite,

    You start by asking where all of the info for Server is; are you able to give any examples? The core components are the same between Endpoint and Server, and so are the logs and reports. Some of the reports are combined, e.g. Events, but you can filter by Server/Computer groups if you use these

    Of the Server specific features, if is true that Server Lockdown does behave differently, events must be requested in order to view them in Sophos Central; these events show the last 24 hours;

    You can view the Server list page to see which Servers are Locked/Unlocked or in the process of being Locked Down. On a device itself, the logs for Lockdown will be in C:\ProgramData\Sophos\SLD with the install info in the Autoupdate logs

    Please let me know if you would like more information on anything specific.



  • In reply to StephenMcKay:

    Thank you for your reply. The location for the server lockdown logs is very much appreciated and for the most part, what I have been searching for.

    As for the logs and reports available in Sophos Central, I'm slowly getting used to them. The design of these various products sometimes runs counter intuitively to my own expectations/assumptions around design, causing occasional confusion.