This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-10-10 03:33 PM

Windows Agenetless question

I an runing the agentless collector on about 70 Domain controllers.  I have been running the Wintool each day to look at the status because in genrela the log collection does not seem stable.  Every day I see a number of devices that are labled as disabled for usually one of two reasons.  One being the access was denied and the other being the file does not exist.  The collection user has the needed rights and files do exist.  THe systems amrked as disabled change day to day meaning ones marked disabled are fine today and disabled tomorrow.  Ones marked disabled today are fine tomorrow.  There are no network issues between the server and the systems it is collecting data from.

 

We have 20 domains and it is not all servers in the domain but usually it is all files on a server.  Some days it might be 2 other days it is 20.

 

How can I determine what is causing these disables?

0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2008-10-16 03:18 PM

Do you know if there are any logon time restrictions for the account that you are using to pull the logs? 

 

If you run 'EventViewer' with DeviceType 'NIC System' and filter for '3 Errors' with the word 'agentless' case insensitive, that should give you the errors for the NIC/enVision side of things? 

 

Also for more details you could try show entry ip x.x.x.x from within the wintool.  I have had many problems with agentless collection so we are unfortunately well versed in the troubleshooting. 

 

If you post the exact errors I may be able to help more. 

 

Good luck! 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-06-01 10:44 AM

Hi- 

 

This happens often to us also, one in particular I am working with to day shows it is disabled in event viewer with this error

 

"Security: Failed to opening event log => The RPC server is unavailable".

 

Wintool says "Log file does not exist on this device"

 

I think this server was offline for a couple of hours and it got disabled, the problem is that it is now back online and the windows service is not collecting any logs from it. This has happened in the past and I had to re-add it in the windows service but that is not an option for us since we have way to many windows servers.

 

I am able to manually connect to it using the service account envision uses.

 

 

arrrg

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-08-21 03:01 PM

I've found that the ""Security: Failed to opening event log => The RPC server is unavailable"." errors will clear themselves once the Windows server (RPC service) is back online.  If a device becomes disabled, it will change the polling interval to 86400 (seconds = 24 hours) and as long as all else is right, it should be fine the next time it polls (in 24 hours or so).  You can restart the NIC Windows Service and that will reset the polling intervals for ALL Windows Services.  You can also use the wintool.exe "reset" command to reset polling, but I've had better luck with restarting NIC Windows.

 

If you're still getting "Log file does not exist on this device" that has indicated to us that there is a collection Account issue (improper credentials, wrong Domain, something like that), but seems like you can connect with it using runeventvieweras.exe

 

If you posted the wintool.exe output "show entry ip x.x.x.x" for a device I could try to provide something more concrete...

 

Hope it helps.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.