escadan396 0 Posted October 12, 2017 Share Posted October 12, 2017 I've been working with support for the last week trying to determine why I can't generate audit logs. Last night I find that the ERA database is 23gb, of which 22.5gb is audit logs. There's my problem! Purged the db, and can now generate the audit logs. However- now I need to find the underlying problem. The ERA server generated over 128k audit records between 7pm last night and this morning. Almost all of these are informational, reading as follows: "Moving computer '<computername>'All\<path>\<path>\<path>' to group 'All\<path>\<path>\<path>'. The confusing part is the group paths are the same. Essentially, ERA is trying to move a computer back into the same group it's already in. The time stamp on these coincides with our AD Static Group Sync job, so I'm assuming that is what is kicking off the "move". The entries show dozens of separate moves for each machine at the same time. My question: What is causing ERA to try to move a computer to a group its already in? Alternatively, is there a way I can exclude this type of event from auditing? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted October 13, 2017 ESET Staff Share Posted October 13, 2017 There has been issue similar to this identified recently. Could you please try to modify your AD synchronization task so that "Computer creation collision handling" is set to "SKIP"? What version of ERA are you using? Link to comment Share on other sites More sharing options...
escadan396 0 Posted October 13, 2017 Author Share Posted October 13, 2017 Hi Martin, We are using 6.5.417.0. If we set the Computer Creation Collision Handling to "Skip", are we going to lose the ability to resolve name conflicts? The computers which seem to be issuing most of the audit alerts are non-persistent VDI machines, so they will constantly be refreshing. New VM, same hostname. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts