What is that strange event message about?
Note the "." behind Details:
I guess it had something to do with the Heartbeat issue we've had after upgrade Firewall to 18.5.2 but I've never seen that message before.
The machine had Heartbeat since 09:57:17.896Z / 10:57:17 local time - the time the update succeeded.
[2022-01-11 09:50:45.809Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:51:45.882Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:52:00.924Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:52:15.961Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:52:30.994Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:52:46.031Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:53:01.070Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:53:16.109Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:53:31.155Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:53:46.190Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error [2022-01-11 09:54:01.244Z] INFO HBSession.cpp[26955]:504 logNewSession - New Session: [172.16.xxx.xxx]:29653 connected [2022-01-11 09:54:01.393Z] INFO ModuleSacFirst.cpp[26955]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=172.16.xxx.xxx) [2022-01-11 09:54:01.396Z] INFO EpStateListBroker.cpp[26955]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: 70f913c3-xxxxx-xxxx-9f45-xxxxxxxxxxxxx(172.16.xxx.xxx) [2022-01-11 09:54:02.654Z] INFO ModuleStatus.cpp[26955]:137 processMessageStatus - Status request received from endpoint: 70f913c3-xxxxx-xxxx-9f45-xxxxxxxxxxxxx (172.16.xxx.xxx) health: 1 [2022-01-11 09:57:08.164Z] WARN HBSession.cpp[26955]:344 bufferDisconnectEvent - Incoming connection from 172.16.xxx.xxx failed. SSL error: [2022-01-11 09:57:10.375Z] INFO HBSession.cpp[26955]:504 logNewSession - New Session: [172.16.xxx.xxx]:56789 connected [2022-01-11 09:57:10.425Z] INFO ModuleSacFirst.cpp[26955]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=172.16.xxx.xxx) [2022-01-11 09:57:10.428Z] INFO EpStateListBroker.cpp[26955]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: 70f913c3-xxxxx-xxxx-9f45-xxxxxxxxxxxxx(172.16.xxx.xxx) [2022-01-11 09:57:17.896Z] INFO ModuleStatus.cpp[26955]:137 processMessageStatus - Status request received from endpoint: 70f913c3-xxxxx-xxxx-9f45-xxxxxxxxxxxxx (172.16.xxx.xxx) health: 1
Hi LHerzog,
Thanks for reaching out to us and sharing your logs.
The informational events generated are due to updating failures on the affected device. I can see a number of errors similar to "2022-01…
The informational events generated are due to updating failures on the affected device. I can see a number of errors similar to "2022-01-11T09:32:01.493Z [14852:10492] E No reachable update locations" leading up to the time at which the update proceeded successfully.
I suspect the network connectivity may have also played a part in things. The endpoint cached the recent update failures and reported them up to Sophos Central in a short time span which is why we see a few events with the same timestamp.
Originally I was confused by the error, but searching this in our knowledge base returned the following KBA (although a bit older) which leads me to believe this is related to updating.- Sophos Endpoint Security and Control: There was a problem while establishing a connection to the server
I don't believe the contents of the KBA above will be relevant to the issue encountered as I was not able to find any event ID 1329 in the logs shared, however, the issue does appear to be related to updating.