Security Heartbeat: Understanding

 Hi

I have just upgraded our Sophos Central Endpoint Standard licenses to Advanced. I can now use the security heartbeat feature of our XG 230. Yey!

However... After adding the LAN zone to be monitored suddenly half of my Windows clients reported a RED status.

On Sophos Central these PC's are showing as green, no problems. Where can I find the reason for the RED heartbeat? So I can investigate.

Thanks

  • Hi Ben,

     

    How did you know that your windows machines heartbeat turned red? in the XG dashboard? 

     

    I suppose that reasons for red heartbeat are indicated already once you click the status on the dashboard.

     

    Is this recurring until now? please attach screenshots if yes. 

     

    Regards,

    Rap

  • In reply to Raphael:

    XLR8

    Here is a screenshot, you can't click on the endpoints there is nothing to click. There is no explanation either in XG or Central as to why these endpoints are red.

  • In reply to Ben Newall:

    Ben,

    check Sophos Central Logs (if there are any) and check even XG from advanced shell:

    tail -f /log/heartbeatd.log     

    Also check if debugging is possible on the heatbeat service using the command:

    service hearbeat:debug -dsnosync

    Let us know.

    Thanks

  • In reply to lferrara:

    Thanks for posting Luk

    Does this help at all?

  • In reply to Ben Newall:

    Ben,

    make sure to create a top firewall rule where these domains are allowed:

    Below are the FQDNs if you need to create a rule

    sophos.com
    mojave.net
    sophosupd.com
    sophosupd.net
    sophosxl.net
    dci.sophosupd.com
     
    Have a look at this kb:
    Regards
     
  • In reply to lferrara:

    Luk

    Forgive me but if this was a firewall rule problem, wouldn't all my PC's show as red? As it stands, half of my PC's are green?

  • In reply to Ben Newall:

    Hi Ben,

    I too have run into this issue numerous times, especially going from Standard to Advanced.  We have worked with Sophos support and identified an issue with the events.db file.  We have been able to fix this in 2 ways (YMMV):

    1. Remove and reinstall the client.
    2. Delete the events.db file.

    To delete the events.db file, do the following:

    1. Disable tamper protection.
    2. Navigate to C:\ProgramData\Sophos\Health\Event Store\Database\ and delete/rename events.db.
    3. Restart the Sophos Health Service and Heartbeat Service.

    Thanks,

    John

  • In reply to axsom1:

    Thanks Axsom1 that did the trick!

    I had to do it slightly different to how you have listed. There was no need to reinstall but the following worked:

    1. Disable tamper protection locally using TP password (turning it off via Central didn't do anything)

    2. Stop heartbeat service in services.msc

    3. End "Health.exe" in task manager (there is no option to stop this service in services.msc)

    4. Rename C:\ProgramData\Sophos\Health\Event Store\Database\events.db

    5. At this point there is no way to restart the Health service so i rebooted.

    Immediately the Status of this PC turned green on the XG console!

    Cheers