Jump to content

Audit Logs Gone Wild

Recommended Posts

I've been working with support for the last week trying to determine why I can't generate audit logs.  Last night I find that the ERA database is 23gb, of which 22.5gb is audit logs.  There's my problem!  Purged the db, and can now generate the audit logs. 

However- now I need to find the underlying problem.  The ERA server generated over 128k audit records between 7pm last night and this morning.  Almost all of these are informational, reading as follows:

"Moving computer '<computername>'All\<path>\<path>\<path>' to group 'All\<path>\<path>\<path>'. 

The confusing part is the group paths are the same.  Essentially, ERA is trying to move a computer back into the same group it's already in.  The time stamp on these coincides with our AD Static Group Sync job, so I'm assuming that is what is kicking off the "move".   The entries show dozens of separate moves for each machine at the same time.

My question:  What is causing ERA to try to move a computer to a group its already in?  Alternatively, is there a way I can exclude this type of event from auditing?

Link to comment
Share on other sites

  • ESET Staff

There has been issue similar to this identified recently.

Could you please try to modify your AD synchronization task so that "Computer creation collision handling" is set to "SKIP"? What version of ERA are you using?

Link to comment
Share on other sites

Hi Martin,

We are using 6.5.417.0.

If we set the Computer Creation Collision Handling to "Skip", are we going to lose the ability to resolve name conflicts?  The computers which seem to be issuing most of the audit alerts are non-persistent VDI machines, so they will constantly be refreshing.  New VM, same hostname.



Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...