Open gautaus opened 3 years ago
Hi @gautaus, do you have any events visible in Sophos Central in the 24 hours preceding your script run? If there are no events in that period, the script will fetch nothing. It would be good if you can indicate the command line parameters you are using, any logs output by the script as well as the state file (both suitably redacted), and examples of events you are seeing in Central but not in the script output.
Hi @rkamat,
We did a count on the Sophos central events over last 24 hours and got the following difference.
Events from script - 128 events Events in CSV exported from Sophos Central - 376 events Difference - 248 events
Cheers, Gautham
Hi @gautaus , can you pls let us know from which screen did we exported Events csv? Also did we check if missing 248 events were acknowledged/resolved
Hi @nandishdoshi-sophos , these events were exported from Sophos Central Dashboard. Does the script only pull acknowledged or resolved events?
I noticed the same issue of missing data. I can see the events on the host as well as on sophos-central dashboard but not in the events collected by this script.
next_cursor
it returns the timestamp of the latest event but some events with lower timestamp come to Sophos later.I've submitted the below PR to resolve the issue - https://github.com/sophos/Sophos-Central-SIEM-Integration/pull/69
Those who are facing the issue, please give the code change a try and provide your feedback.
Hi,
Lately, we have been noticing Sophos central events lost (not being pulled) by the v1 of the integration script. I guess it has something to do with the state file not properly being read by the script. We have deployed v2 of the script too and have seen similar reports. Is anyone else facing similar issues.
Cheers, Gautham