Remote user logon events not detected by SCSP on Windows 2008 Server

Article:TECH168710  |  Created: 2011-09-01  |  Updated: 2012-07-28  |  Article URL http://www.symantec.com/docs/TECH168710
Article Type
Technical Solution


Environment

Issue



The Symantec Critical Systems Protection (SCSP) 5.2.8 agent is installed on a Windows 2008 R2 server. After applying the Windows Baseline detection policy a user attempts a remote login by RDP. The baseline detection policy detects the login event, but does not display the username for the alert within the SCSP manager. The issue does not occur if the SCSP  agent is installed on a Windows 2003 server.


Environment



The environment consist mostly of Windows 2008 server and 2003 servers. Some of the Windows 2008 servers are Domain Controllers with Active Directory configuration. The servers do have the SCSP 5.2.8.164 agent installed.


Cause



Defect with the evt_extract.ini file used by the SCSP 5.2.8 agent on Windows 2008 causes usernames to not be reported for an alert that displays in the SCSP manager.


Solution



Workaround:

To address this issue regarding the missing username, manually replace evt_extract.ini file with the attached (evt_extract.ini) on your system and restart sisidsservice service. 

Permanent Solution:

Issue addressed in SCSP build 5.2.8 MP2. It is available for download on our fileconnect site: https://fileconnect.symantec.com

User Name information for Windows Event Log events no longer appear blank. The Event Viewer now displays the User Name information for Windows Event Log events correctly for User and Group Change Monitor rule.
Affected operating systems: Windows operating systems
Affected Symantec Critical System Protection versions: All versions of Symantec Critical System Protection

 




Article URL http://www.symantec.com/docs/TECH168710


Terms of use for this information are found in Legal Notices