[Server Task: Delete Not Connecting Computers Failed]

Hi Tomas, I'll pm you a link to the logs.

Cheers.

 

[Server Task: Delete Not Connecting Computers Failed]

21 minutes ago, MichalJ said:

My first recommendation (just to allow the deletion) would be to uncheck the option to "automatically deactivate such seats". What you can do, is to deactivate them manually via ESET License Administrator or shorten the removal interval there. 

What might also help for us to check is to try manual removal of such computers from ELA. If that works, then it might be caused by network connectivity issues on your / our side. It might help us to actually see the PLID, so we can check whether ESMC server was able to contact our licensing infrastructure, to perform deactivation. 

 Thanks for your prompt reply. 

The ideal solution is to delete and deactivate the license autmatically from ESMC. We are managing +8000 devices so you can understand is not a good solution to delete the devices one by one and then deactivate the license one by one. I'd like to troubleshoot connectivity to ELA servers. What's the PLID?

Edit: I know  PLID is now. I'll pm you the details

[Server Task: Delete Not Connecting Computers Failed]

ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

Microsoft Windows Server 2012 R2 Datacenter (64-bit), Version 6.3.9600

 

Server Task keeps failing. Not much info from the console. See attachment.

 

From the logs in C\:ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs I think the error is related to:

 

2019-04-18 01:40:14 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivation of seat [ComputerUUID=0d784d38-806b-4b12-8607-032559162da8, SeatID=2e5c5ba1-d108-4675-a2c4-7f473ba, MasterSeatId=232f229a-8db6-4e4a-8a16-e913e8bd17d5] failed. Error: CEcpCommunicator: ECPRequestMessageDeactivation request failed, error=0x20103004.

 

2019-04-18 01:40:15 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivation of seat [ComputerUUID=128b91b2-118d-4710-b02d-90caf056ded0, SeatID=d67b52bd-8c73-4bb4-ad4d-2841415, MasterSeatId=232f229a-8db6-4e4a-8a16-e913e8bd17d5] failed. Error: CEcpCommunicator: ECPRequestMessageDeactivation request failed, error=0x20103004.

2019-04-18 01:40:15 Information: LicenseModule [Thread 3f0]: DeactivateSeatsForComputers: Deactivating seat [ComputerUUID=150a8581-d6e7-47c4-a41c-027623b6050a, LicensePublicID=XXXXX, SeatID=1609803e-9...].

PS. I removed the LicensePublicID from the logs

Any advice on how to fix this?

 

 

 

[ESET SMC v7.0 - Uninstall]

Check the logs in your server and the logs for ESCM 

[ESMC7 - SYSLOG not working]

Thanks Marcos for your quick response. My understanding is the logs sent from the clients can't be modified. Can you confirm this?

 

[ESMC7 - SYSLOG not working]

ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

Microsoft Windows Server 2012 R2 Datacenter (64-bit).

 

We've been experiencing issues with the logs not being sent to our syslog server. We just upgraded to the latest version hoping that this would fix the issue but unfortunately, after the upgrade, we still see the same error in the tracelog:

 

Extract of the logs:

2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT
2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message
2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message
2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT
2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message
2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message
2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT
2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message
2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message
2019-01-20 18:20:18 Debug: CLogExportModule [Thread 47c]: Encoding message (10225): EventLog_THREAT_EVENT
2019-01-20 18:20:18 Error: CSyslogSenderModule [Thread 20d8]: Failed to encode syslog message
2019-01-20 18:20:18 Error: CLogExportModule [Thread 47c]: Unhandled exception: Failed to encode syslog message
 

Syslog server config:

Same error when using default port 514.

 

Logging:

 

Any advice on how to fix/troubleshoot this error?

 

Thanks

Camilo.

 

[ESMC7 - Extracting data]

Hi Eset community,
is there a way to dynamically export information from ESCM7 such as active threaths, unresolved incidents, etc, in a given time frame?
What I am trying to achieve is to extract this information to feed our reporting/analysis tool (grafana). We don't want to use csv files, as we'd have to manually import the file.

Hope that's clear.

Cheers

Camilo

[ESMC7 - SYSLOG Server]

On 12/17/2018 at 2:46 PM, ewong said:

I don't understand why it won't work on a Windows server.  I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems.

Windows uses Event Viewer. For using syslog, you need to set up a syslog server.

[ESMC7 - SYSLOG Server]

Ok so I just realized this won't work on a Windows server.

I am pointing the syslog server to my  PC  running linux and I'll see if that makes a difference....

[ESMC7 - SYSLOG Server]

1 hour ago, MartinK said:

It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages.

Ok, so for testing purposes I have set the server as localhost, that way I can send the JSON file to our syslog server. Do you know where those files are stored in Windows?

[ESMC7 - SYSLOG Server]

So this is my config of syslog server:

This is the config for Logging

I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ?

 

If I set localhost as the host, where would the files be stored?

 

[ESMC7 - SYSLOG Server]

27 minutes ago, ewong said:

I didn't have it configured; but I just set it up.   Now I'm not entirely sure how to test this out.

You should receive the logs in your syslog server. Because I didn't receive it, I began investigating by analyzing the network traffic to see what was going on but I can't see any traffic generated from Eset server to my syslog server :(.

 

[ESMC7 - SYSLOG Server]

26 minutes ago, ewong said:

And by outbound firewall rule,  you do need to specify the output port 514 (or whatever you have specified) and using UDP.

 

Yes, exactly that. UDP and port 514. The same config is set in the web console. Do you have this configured?

[ESMC7 - SYSLOG Server]

11 minutes ago, ewong said:

Do you happen to have the outbound firewall rule on your server created?  (Ditto with the inbound rule for your syslog server, which I'll assume you have).

Yes, I have the outbound firewall rule on the server but from the traffic capture I can't see any traffic going to my syslog server at all.

Server is Microsoft Windows Server 2012 R2

[ESMC7 - SYSLOG Server]

Hi Eset,

We currently have Eset Security management Center v7.0.553.0, configured to send the logs the a syslog server.

 

I've captured the traffic from the server and I can't see any outbound traffic going to my log server. A special rule to allow the traffic is configured in the Firewall.

 

Any ideas?

Thanks,

Camilo