If you comb through the duplicates in your events (using the command I used to check for dupes in Splunk) you will see quite a few events are duplicated at least 11 times (at least in my case). This massive number of duplicates spamming the logs, coupled with the 1000 Event limit per API retrieval, means that it is almost certain that you will fall behind in getting your newest events. I am still waiting on Sophos Support to get this resolved. I would encourage you to put in your own ticket to encourage Sophos to get this resolved.

Hey @ehoward ,
I ran the first search and the count column was 296 but not sure what that means?
Running your second search finds 12 events per hour which would be one per scheduled API call. they are all errorCode=500.

What wording did you send to Sophos? Just that duplicate events are being retrieved from their API?
Cheers

The subject header in my Ticket with Sophos is "Customer is reporting API integration with Sophos central event logging is returning multiple instances of web events."

It turns out this was not just happening with Web Events, its just that Web Events are the most numerous among the dupes.

The first search means have had 296 events that were duplicated at least once in the logs.

In my case I had event that were being duplicate over 11 times. Since the API retrieval limit is 1000 my logs can never get caught up because so many of the 1000 events retrieved are dupes.

I am still trying to get Sophos to make resoltion of this issue a priority. I would encourage you and any other Sophos customers to contact them and make your voice heard.

Now for some reason it has resolved itself and updates every 5 minutes as expected.
Only thing is, that is the sophos_events.py script that's running.
sophos_alerts.py is not running at all.

Nick, Sophos has received my trouble report and replicated my issue using my API key and the reference Python script they publish for downloading events. Definitely a problem on the Sophos Cloud side of things.