Troubleshooting Sophos Linux Sensor

"error": "Unauthorized" when trying to generate the SLS package repository API token.

SLS isn't available with evaluation licenses. Your Sophos Central account must have one of the following qualifying product licenses:

• Intercept X Advanced for Server with XDR
• Central Managed Detection and Response Essential Server
• Central Managed Detection and Response Complete Server

I've deployed SLS sensors but my Sophos Central license count hasn't changed.

SLS is licensed per device. However, your Sophos Central Devices view and license count won't reflect your SLS instances. You also won't see your SLS devices in Server Protection. This is because SLS can send detection details and alerts to, but isn't managed by, Sophos Central.

"error": "BadServerResponse" when trying to generate the SLS package repository API token.

SLS needs API credentials created by a SuperAdmin in a Sophos Central Admin dashboard. Ensure the configuration is done in a Sophos Central Admin dashboard and not in a Partner or Enterprise dashboard.

The repository 'https://packages.sophos.com/sophos-linux-sensor/release stable InRelease' is no longer signed.

Your SLS package repository API token is expired. You must generate a new token. See Generate an SLS package repository API token.

Invalid GPG Key from file:///etc/sophos-linux-sensor.gpg: No key found in given key data

Some distributions, such as Amazon Linux 2, require you to convert the GPG to ASCII before installing the sensor. To do this, run the following command:

gpg --keyring /etc/sophos-linux-sensor.gpg --no-default-keyring --export -a > /etc/.tmp.sophos-linux-sensor.gpg && mv /etc/.tmp.sophos-linux-sensor.gpg /etc/sophos-linux-sensor.gpg

Once you convert the GPG key, verify it again, and continue with the installation. See Verify the GPG key.

Zero policies configured

SLS default detection content isn't installed. You must install both SLS and the default content for detections and alerts to function. See Install Sophos Linux Sensor.

Unable to start analytics: 400 Failed to validate registration auth token on SLS startup.

SLS logs this error message and fails to start based on invalid token configurations for alert output. See Generate an SLS package repository API token.

Unable to start analytics: error writing alert to MCS on SLS startup.

SLS logs this error message and fails to start when it can't communicate with the Sophos Central MCS API. You must connect to the same MCS region as your Sophos Central account. See Finding your MCS URL.

Timed out gathering optional metadata, some optional metadata won't be available

SLS couldn't gather the optional metadata from a cloud environment. You can adjust the optional_metadata_gathering_timeout value in the runtimedetections.yaml config file to give the sensor more time to gather the optional metadata. See Timeout.