Safestore.log and Clean.log very large - multiple GB

Hi all,

I have a problem with a Windows Server 2016 which C: drive is being filled from Sophos Server Protection. The Endpoint version is latest and Updates are running fine.

The problem is that Safestore.log and Clean.log are very large and still growing; 17.8 GB and 12.5 GB respectively.

In Sophos documentation it says this (also for Clean.log) but obviously the rotation and size limit do not work on this machine for some reason.

SophosCleanup.log (Only applicable to Windows 10 (x64) and later and Windows Server 2016 and later)
Location C:\ProgramData\Sophos\Clean\Logs
Description Contains cleanup actions, Safestore verification, and command process flow logging. The log size limit is compressed to 10MB and there are five log rotations.

Can anyone please tell me how to shrink the files and get things back to normal? Thank you very much.

BR,
Daniel

    • Did you open a Support Case for this situation? 

      __________________________________________________________________________________________________________________

      • No, not yet.

        • I have now managed to get the .log files recreated. I did disable tamper protection, stopped the Sophos Health Service and renamed both files to .log.old. Now both have been recreated and seem to grow only at reasonable sizes. So far so good... The thing now is that I am unable to delete both files although I am local administrator I can't delete nor can take ownership of the files. If trying to run cmd.exe as SYSTEM with psexec did not help. How can I get rid of the files to free up the diskspace? Yes, you are right, no really Sophos related question, well, as long as Sophos does not set some kind of hidden permissions that keep me from deleting the files.

        • Clean.log became SophosCleanup.log under C:\ProgramData\Sophos\Clean\Logs\.

          Safestore.log became SophosSafestore.log under C:\ProgramData\Sophos\Safestore\Logs\.

          Clean.log and Safestore.log are no longer used so you can delete them. The LastWriteTime for them will be old.

          There was a bug that caused them to grow, I guess you must have hit that a while back and the logs have just sat there since.

          You will need to turn off tamper to delete them or you could delete them via Live Response if you have that feature.

          • Hi, thank you very much. Disabling Tamper protection allowed me to delete the files. However I cannot confirm that the files have different names now. The new files are still named Clean.log and SafeStore.log. The lastwritetime was not old. See my comment further above. Anyway the issues is resolved. Thank you.