Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Check Status as "Unknown"

Created: 02 Mar 2012 • Updated: 01 Aug 2012 | 9 comments
jpontes's picture
This issue has been solved. See solution.

Hello All,

I'm running an evaluation of some Windows 2008 machines against the CIS Windows Server 2008 Benchmark and noticed a large amount of results with status "unknown" (instead of pass/fail), specially those ones telated to "Audit Policy". It seems like the collection mechanism cannot find or access the values, but I know they are actually there (ie.: registry, secpol, auditpol.exe, etc...) I'm running an agentless collection and using domain admin credentials.

Does anybody has observed the same?

Regards

Comments 9 CommentsJump to latest comment

Syed Hussain -Compliance Devil's picture

Hi,

Did you tried running the same checks from chosing same data source from RMS console pointing to the same server in a domain? if yes do you see the results or does it throws any error message?

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
Jack_Baggins's picture

I know this is a little old. Wondering if anyone had a fix.

I run the same evaluation with the same setup as above on Windows Server operating systems, and everything works fine. When I run an evaluation against a Windows 7 machine, (Windows 7 CIS Security Benchmark)  I get a large portion (46%%) unknown. And it is not detecting the changes in the policy on the Windows 7 machine to correct failures either, even though I can log in to the machine and see the changes have been made, they are still flagged as "Fail" in the evaluation.

I am using CCS 11, and a domain admin account as Windows Credentials. I have verified that the credentials work without issue on the Windows 7 machine.

Thanks...

cmccoy2's picture

Unknown status can come from many different conditions.   You will most likely need to look into the data collection job and see what messages are being reported.  In addition to that you may need to turn on verbose logging on the CCS Manager and look at the logs.  In most cases the logs will be in the following folder:  C:\Programdata\Symantec.CSM\DPS\*.csv   The folder names might have changed due to the newer version, but once verbose logging is turned on, then you will need to sift through the logs to see what is causing the issue.  It is possible that there is something being blocked on your target machine.  Most of the data is now collected via WMI so you will need to make sure that nothing is blocking that.   As Syed had mentioned previously, try to build a query to get the same data as being requested in the check and see if you are successful.

Hope this helps

Jack_Baggins's picture

Thank you for your reply. It turned out that the Windows firewall on the local machine was configured to block things like WMI as you mentioned. I was able to reconfigure and get the scan to work perfectly. I see you mentioned verbose logging, and another response was asking how to turn that on. I think I would have been able to find my firewall issue a little faster if I had this enabled. So my question is the same as the question below. How do you enable verbose logging?

Thanks.

jpontes's picture

Hi Guys,

How do I turn verbose logging on CCS11?

Thanks in advance

JPontes

Syed Hussain -Compliance Devil's picture

Hi,

Please refer to CCS_User_Guide.pdf page 425 and 708 for more clarity.

 

AttachmentSize
CCS_User_Guide.pdf 13.75 MB

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
cmccoy2's picture

Basically you need to find the desired config file and edit the XML and find the log level and change it.  Here are a couple of links for your reference:

http://www.symantec.com/docs/HOWTO75793

http://www.symantec.com/docs/HOWTO75792

 http://www.symantec.com/docs/HOWTO75794

Hope this helps

jpontes's picture

The links above have good info, although I couldn't figure out two things:

What specific files should I change in CCS 11 to verbose logging the collection an to get the xml response files?

Where do the logs and the response files are stored on CCS11?

Regards

cmccoy2's picture

For Application Server:

X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application Server

       AppserverService.exe.config,

For CCS Manager:

X:\program files (x86)\Symantec\CCS\Reporting and Analytics\DPS

     Symantec.CSM.DPS.exe.config

For Directory Server Support

X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Directory Support Service

     Symantec.CSM.DSS.Service.exe.config

These are all XML files so you will need to look into the text and find where the log levels are set to change how the logs are performing.  Most logs can be found here for Windows Server 2008+:

C:\ProgramData\Symantec.CSM\Logs\[folder of service/task]

When you change the log levels the change will be immediate and you will not need to stop/start the given service.

Hope this helps.

SOLUTION