PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I have just upgraded our Sophos Central Endpoint Standard licenses to Advanced. I can now use the security heartbeat feature of our XG 230. Yey!
However... After adding the LAN zone to be monitored suddenly half of my Windows clients reported a RED status.
On Sophos Central these PC's are showing as green, no problems. Where can I find the reason for the RED heartbeat? So I can investigate.
How did you know that your windows machines heartbeat turned red? in the XG dashboard?
I suppose that reasons for red heartbeat are indicated already once you click the status on the dashboard.
Is this recurring until now? please attach screenshots if yes.
In reply to Raphael:
Here is a screenshot, you can't click on the endpoints there is nothing to click. There is no explanation either in XG or Central as to why these endpoints are red.
In reply to Ben Newall:
check Sophos Central Logs (if there are any) and check even XG from advanced shell:
tail -f /log/heartbeatd.log
Also check if debugging is possible on the heatbeat service using the command:
service hearbeat:debug -dsnosync
Let us know.
In reply to lferrara:
Thanks for posting Luk
Does this help at all?
make sure to create a top firewall rule where these domains are allowed:
Below are the FQDNs if you need to create a rule
Forgive me but if this was a firewall rule problem, wouldn't all my PC's show as red? As it stands, half of my PC's are green?
I too have run into this issue numerous times, especially going from Standard to Advanced. We have worked with Sophos support and identified an issue with the events.db file. We have been able to fix this in 2 ways (YMMV):
To delete the events.db file, do the following:
In reply to axsom1:
Thanks Axsom1 that did the trick!
I had to do it slightly different to how you have listed. There was no need to reinstall but the following worked:
1. Disable tamper protection locally using TP password (turning it off via Central didn't do anything)
2. Stop heartbeat service in services.msc
3. End "Health.exe" in task manager (there is no option to stop this service in services.msc)
4. Rename C:\ProgramData\Sophos\Health\Event Store\Database\events.db
5. At this point there is no way to restart the Health service so i rebooted.
Immediately the Status of this PC turned green on the XG console!