jdashn 12 Posted July 29, 2016 Posted July 29, 2016 Good morning/afternoon/evening! I've heard some of the ESET staff here talk about setting up a dynamic group based on who is logged into a computer. It would be nice to setup a dynamic group of computers where No user is logged into the machine. This would be very helpful as that is one of the major deciding factors that go into whether we can start to preform a software update on a client machine. We obviously don't want to restart a user's machine while they're using it. Is there a way to setup a dynamic group that contains computers with no users logged into it? How often does eset check this information (the same time it reports to ERA, or?)? Thanks Jdashn Pancakedinner 1
ESET Staff MartinK 384 Posted July 29, 2016 ESET Staff Posted July 29, 2016 (edited) It should be possible to create such group but I was not able to verify it. There are multiple options, but you may try to configure dynamic group template as in screenshot: EDIT: dynamic group does not work in ERA 6.4 Once this dynamic group is replicated to AGENT, it is evaluated automatically and should detect change in list of logged users almost immediately as it is listening for system notifications. AGENT will be joining and leaving dynamic groups autonomously without active connection to SERVER -> if you attach specific task to this group, it will be executed even if computer is offline. I guess it is no surprise that you won't see offline computer joining/leaving dynamic group in Webconsole as this information requires working connection to SERVER. Edited August 1, 2016 by MartinK Pancakedinner 1
jdashn 12 Posted July 29, 2016 Author Posted July 29, 2016 Thanks for the reply, I know i've tried something similar a few times using Regex. I have not tried using 'Has Mask'. I've setup a group and a template and it's applied. I've got a few test machines i have setup to report back to ERA every min so i should see some computers populate shortly (that and it's getting to be pretty late on a friday for everyone to still be in the office lol). I will let you know if i see any machines there within an hour! Thanks, Jdashn Pancakedinner 1
jdashn 12 Posted July 29, 2016 Author Posted July 29, 2016 Sadly no computers have joined this dynamic group, but i know we've got computers actively reporting to ERA with no users logged in. Any other suggestions? Thank you very much!!! Jdashn
ESET Staff MartinK 384 Posted July 31, 2016 ESET Staff Posted July 31, 2016 Have you also tried what happens after system reboot but before users logs in? When users are leaving computer, do they actually log out, or they only lock screen? There is also possibility to create report with "Computer name" and "Logged user name" to check what is going on, but my guess is that computer will be still reporting last logged user. Pancakedinner 1
jdashn 12 Posted August 1, 2016 Author Posted August 1, 2016 So i've got a few test computers, and many many user computers. With our User machines there is likely all of the possibilities of a way a user can log off, think they logged off, reboots, etc etc etc. The test machines i know for sure that i've tested the following conditions with no success with the group as you suggested: (with windows 7 64bit enterprise, laptops, desktops - all connected to network via cable (no wireless in this test) all set to have agent report to RA every 60sec). User logged in, then log out via start menu User logged in, then logs out via start menu and reboot issued remotely User logged in, then reboots machine from start menu I'm wondering if the DB is just recording who logs into the computer and not who logs out. Which might be the logical, easier thing to code if all you are looking to do is change things based on who is logged in. Are you finding success in your environment with this query? Thanks, Jdashn
ESET Staff MartinK 384 Posted August 1, 2016 ESET Staff Posted August 1, 2016 I'm wondering if the DB is just recording who logs into the computer and not who logs out. Which might be the logical, easier thing to code if all you are looking to do is change things based on who is logged in. Are you finding success in your environment with this query? I should have tested it before posting ... seems negated rule does not work as I have expected. Problem is that when there is no one is logged in, list of logged users is empty and therefore evaluation of dynamic group is automatically considered as "not matching" (because there is no data to compare or match). I am currently not even sure what is correct behavior.
jdashn 12 Posted March 16, 2017 Author Posted March 16, 2017 It does appear that this has been changed/updated in version 6.5 (ERA) and it does appear that you can now create a group that represents computers with no one logged into them as the DB does now record logouts! Thanks again for your help with this! And thanks to whomever saw the problem and fixed it for this new version! Jdashn
ESET Staff MartinK 384 Posted March 16, 2017 ESET Staff Posted March 16, 2017 26 minutes ago, jdashn said: It does appear that this has been changed/updated in version 6.5 (ERA) and it does appear that you can now create a group that represents computers with no one logged into them as the DB does now record logouts! Thanks again for your help with this! And thanks to whomever saw the problem and fixed it for this new version! Actually problem was in dynamic groups evaluation as described in my previous post. Logged users were reported correctly, but it was not possible to create dynamic group with required conditions (negate condition on empty list). Pancakedinner 1
jdashn 12 Posted March 16, 2017 Author Posted March 16, 2017 Ahh, When i was looking at the DB previously i had noticed that it didn't log logouts, so i had figured that ERA wouldn't be able to see if no one was logged in, because the DB only recorded 'who had logged in' .. at least that's how it appeared! Regardless it's awesome that the test dynamic group i had setup, is now working. Once i get the other issues i've got with installing 6.5 cleared up this should really help for deployments! Jdashn Pancakedinner 1
Recommended Posts