Camilo Diaz

Hi Tomas, I'll pm you a link to the logs. Cheers.

Thanks for your prompt reply. The ideal solution is to delete and deactivate the license autmatically from ESMC. We are managing +8000 devices so you can understand is not a good solution to delete the devices one by one and then deactivate the license one by one. I'd like to troubleshoot connectivity to ELA servers. What's the PLID? Edit: I know PLID is now. I'll pm you the details

ESET Security Management Center (Server), Version 7.0 (7.0.577.0) ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0) Microsoft Windows Server 2012 R2 Datacenter (64-bit), Version 6.3.9600 Server Task keeps failing. Not much info from the console. See attachment. From the logs in C\:ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs I think the error is related to: 2019-04-18 01:40:14 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivation of seat [ComputerUUID=0d784d38-806b-4b12-8607-032559162da8, SeatID=2e5c5ba1-d108-4675-a2c4-7f473ba, MasterSeatId=232f229a-8db6-4e4a-8a16-e913e8bd17d5] failed. Error: CEcpCommunicator: ECPRequestMessageDeactivation request failed, error=0x20103004. 2019-04-18 01:40:15 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivation of seat [ComputerUUID=128b91b2-118d-4710-b02d-90caf056ded0, SeatID=d67b52bd-8c73-4bb4-ad4d-2841415, MasterSeatId=232f229a-8db6-4e4a-8a16-e913e8bd17d5] failed. Error: CEcpCommunicator: ECPRequestMessageDeactivation request failed, error=0x20103004. 2019-04-18 01:40:15 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivating seat [ComputerUUID=150a8581-d6e7-47c4-a41c-027623b6050a, LicensePublicID=XXXXX, SeatID=1609803e-9...]. PS. I removed the LicensePublicID from the logs Any advice on how to fix this?

Check the logs in your server and the logs for ESCM

Thanks Marcos for your quick response. My understanding is the logs sent from the clients can't be modified. Can you confirm this?

ESET Security Management Center (Server), Version 7.0 (7.0.577.0) ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0) Microsoft Windows Server 2012 R2 Datacenter (64-bit). We've been experiencing issues with the logs not being sent to our syslog server. We just upgraded to the latest version hoping that this would fix the issue but unfortunately, after the upgrade, we still see the same error in the tracelog: Extract of the logs: 2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT 2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message 2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message 2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT 2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message 2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message 2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT 2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message 2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message 2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT 2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message 2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message Syslog server config: Same error when using default port 514. Logging: Any advice on how to fix/troubleshoot this error? Thanks Camilo.

Hi Eset community, is there a way to dynamically export information from ESCM7 such as active threaths, unresolved incidents, etc, in a given time frame? What I am trying to achieve is to extract this information to feed our reporting/analysis tool (grafana). We don't want to use csv files, as we'd have to manually import the file. Hope that's clear. Cheers Camilo

Windows uses Event Viewer. For using syslog, you need to set up a syslog server.

Ok so I just realized this won't work on a Windows server. I am pointing the syslog server to my PC running linux and I'll see if that makes a difference....

Ok, so for testing purposes I have set the server as localhost, that way I can send the JSON file to our syslog server. Do you know where those files are stored in Windows?

So this is my config of syslog server: This is the config for Logging I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ? If I set localhost as the host, where would the files be stored?

You should receive the logs in your syslog server. Because I didn't receive it, I began investigating by analyzing the network traffic to see what was going on but I can't see any traffic generated from Eset server to my syslog server :(.

Yes, exactly that. UDP and port 514. The same config is set in the web console. Do you have this configured?

Yes, I have the outbound firewall rule on the server but from the traffic capture I can't see any traffic going to my syslog server at all. Server is Microsoft Windows Server 2012 R2

Hi Eset, We currently have Eset Security management Center v7.0.553.0, configured to send the logs the a syslog server. I've captured the traffic from the server and I can't see any outbound traffic going to my log server. A special rule to allow the traffic is configured in the Firewall. Any ideas? Thanks, Camilo