Sophos Protection for Linux troubleshooting
This page details how to troubleshoot common errors in Sophos Protection for Linux (SPL).
Note
You can use the Sophos Diagnostic Utility (SDU) to gain additional insight into events when troubleshooting. When you run it, the SDU collects all SPL logs, system information, and system logs. For the SDU to be able to collect the system logs, we recommend you configure your Linux devices to preserve them after a restart. Some platforms have this configured by default.
Installation troubleshooting
Tip
If you need more insight into an error, turn debug logging on and run the installer again. See Debug thin installer.
./SophosSetup.sh: Permission denied
You must add the execute permission to SophosSetup.sh. Run the following command:
chmod +x SophosSetup.sh
Please run this installer as root
You must run SophosSetup.sh with root privileges. Use the sudo
command or switch to the root user.
Found an existing installation of SAV in /opt/sophos-av/. This product cannot be run alongside Sophos Anti-Virus
You must remove Sophos Anti-Virus for Linux before you install SPL.
SPL installation will fail, can not install to '<path>'.
The installation will fail if you reference a symlink. You must re-run the installer with the --install-dir
command and use the path to the directory where the symlink points.
Cannot connect to Sophos Central - please check your network connections
Your Linux machine must be able to connect to the internet and traffic to all Sophos Central domains must be allowed before you can install SPL. See Domains and ports to allow.
SPL installation will fail as a connection to Sophos Central could not be established
Sophos pre-installation checks will fail if curl
isn't installed on the Linux device. Install curl
and try again. You may also see the following messages:
- SPL installation will fail as a connection to the SUS server could not be established
- SPL installation will fail as a connection to a CDN server could not be established
Failed to connect to repository: error:
Your Linux devices are assigned to a software package that's been retired. Change your Update Management policy and assign your Linux devices to a current software package. See Server Update Management Policy.
Failed to install as setcap is not installed
When the libcap package is missing on the Linux server, the Sophos Protection for Linux Anti-Virus plugin fails to install and continues to retry the installation every hour. The installation log shows the following errors:
497 [2021-08-31T10:51:09.950] INFO [2080044800] suldownloaderdata <> Installing product: ServerProtectionLinux-Plugin-AV version: 1.0.2.93
736 [2021-08-31T10:51:10.189] INFO [2080044800] suldownloaderdata <> which: no setcap in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
Failed to install as setcap is not installed, please see https://support.sophos.com/support/s/article/KBA-000007609
736 [2021-08-31T10:51:10.189] ERROR [2080044800] suldownloaderdata <> Installation failed
736 [2021-08-31T10:51:10.189] INFO [2080044800] suldownloaderdata <> Downloaded Product line: 'ServerProtectionLinux-Plugin-EDR' is up to date.
740 [2021-08-31T10:51:10.193] WARN [2080044800] suldownloaderdata <> Update failed, with code: 103
740 [2021-08-31T10:51:10.193] INFO [2080044800] suldownloaderdata <> Generating the report file in: /opt/sophos-spl/base/update/var/updatescheduler
Run one of the following commands based on your Linux distribution:
- Debian-based Linux:
apt install libcap2-bin
- RHEL, CentOS, Amazon Linux:
yum install libcap
- SLES:
zypper install libcap-progs
Components not running or failing to install.
If a product is missing, make sure you have the correct license for the missing product.
If the product is installed but not running, check the logs for the relevant components. To do this, do as follows:
- Check the log for the affected component at
/opt/sophos-spl/plugins/<plugin name>/log
. - Check the installation log for the relevant component at
/opt/sophos-spl/logs/installation/<component>_install.log
. - Check the watchdog log to see whether a component failed to start at
/opt/sophos-spl/logs/base/watchdog.log
.
High CPU usage after installing SPL
Check if you have fapolicyd
on your Linux device. Running fapolicyd
and SPL together is supported, but it's known to cause high CPU and other issues if not configured correctly. Do as follows to add a rule to fapolicyd
to allow it to work together with SPL:
- Stop the SPL agent.
-
Create a new file at
/etc/fapolicyd/rules.d/
named22-sophos.rules
.The file name is very important as it must follow the naming convention for rules to work around
fapolicyd
for system critical activity. See Configuring the File Access Policy Daemon. -
Add the following content to the file:
allow dir=/opt/sophos-spl/ all : ftype=application/x-sharedlib allow dir=/opt/sophos-spl/ all : ftype=application/x-executable allow dir=/opt/sophos-spl/ all : ftype=text/x-python allow perm=execute dir=/opt/sophos-spl/ : all
-
Restart
fapolicyd
. - Start the SPL agent.
Installation to a custom directory fails.
The SPL installation fails when you use --install-dir
to change the installation directory if the /sophos-spl
directory already exists in that location or SPL is installed in another location on the Linux device. To resolve this, delete the /sophos-spl
directory or uninstall SPL and try again.
If you're running SELinux in enforcement mode and install SPL to a custom directory other than /opt
, you may see the following error when trying to install SPL to a custom directory:
sophos-spl.service: Failed to execute command: Permission denied
You need to perform the following steps to add a record of the new directory to the SELinux policy that includes the same rules that exist for /opt
:
- Create the installation directory you want to use.
- Run the following command replacing
<path_to_new_directory>
with the path to your new installation directory.
semanage fcontext -a -e /opt <path_to_new_directory>
Sophos Central troubleshooting
Not started: Sophos Linux Runtime Detections
You may see this error message with a red health status on your Linux devices due to one of the following scenarios:
- The Runtime Detections (RTD) plugin isn't running. This can happen for many reasons, such as when it's installed on a server running an older or unsupported kernel.
- The RTD plugin encountered an issue with a rule or set of rules. In this case, the RTD plugin is still running, and all other rules are active, but Sophos Central shows a red health status to alert you to the issue so you can investigate.
Not started: Update Scheduler
When the SPL agent starts, the update scheduler tries to download the policy from Sophos Central. If the SPL agent can't contact Sophos Central or the policy download fails, you'll see this error message with red health status in Sophos Central.
Live Discover endpoint queries only return data for a short time
By default, the size of the event journals on your devices allows them to store about 90 days of activity. If Live Discover endpoint queries return less data than that, you may need to increase the size of the event journals on your devices. See Event Journals.
More resources