Re: Sophos Central 1.05 Are there different setup...

ewelch_splunk · ‎11-21-2017

We've configured Sophos Central v 1.05 on our dev server and everything works correctly. When we move the same configuration to our production distributed architecture, it fails. We see multiple errors "ERROR ExecProcessor - message from "phython /opt/splunk/etc/apps/sophos_central/bin/sophos_events.ph", and nothing ever hits the firewall. I've seen other questions posted about errors with sophos_events.py and we've verified that those are not our problem. Any Ideas?

nickhills · ‎11-23-2017

When you say to have moved it to a distributed architecture, what do you mean?

You would want to run the app with a configured account on a single machine like a heavy forwarder, or maybe on your search head.
Be sure to only configure 1 server to perform the collection, lest bad things (like duplication) may happen.

If your installing on multiple servers, it will nag you on each to run the setup - to bypass this add "is_configured = true" in the local/app.conf .

Maybe i'll add that option in 1.0.6

If my comment helps, please give it a thumbs up!

Sophos Central 1.05 Are there different setup considerations between running on a single server vs. distributed environment.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!