Check Status as "Unknown"
Created: 02 Mar 2012 | Updated: 01 Aug 2012 | 9 comments
This issue has been solved. See solution.
Hello All,
I'm running an evaluation of some Windows 2008 machines against the CIS Windows Server 2008 Benchmark and noticed a large amount of results with status "unknown" (instead of pass/fail), specially those ones telated to "Audit Policy". It seems like the collection mechanism cannot find or access the values, but I know they are actually there (ie.: registry, secpol, auditpol.exe, etc...) I'm running an agentless collection and using domain admin credentials.
Does anybody has observed the same?
Regards
Discussion Filed Under:
Group Ownership:
Comments 9 Comments • Jump to latest comment
Hi,
Did you tried running the same checks from chosing same data source from RMS console pointing to the same server in a domain? if yes do you see the results or does it throws any error message?
Thanks,
-Syed Hussain
I know this is a little old. Wondering if anyone had a fix.
I run the same evaluation with the same setup as above on Windows Server operating systems, and everything works fine. When I run an evaluation against a Windows 7 machine, (Windows 7 CIS Security Benchmark) I get a large portion (46%%) unknown. And it is not detecting the changes in the policy on the Windows 7 machine to correct failures either, even though I can log in to the machine and see the changes have been made, they are still flagged as "Fail" in the evaluation.
I am using CCS 11, and a domain admin account as Windows Credentials. I have verified that the credentials work without issue on the Windows 7 machine.
Thanks...
Unknown status can come from many different conditions. You will most likely need to look into the data collection job and see what messages are being reported. In addition to that you may need to turn on verbose logging on the CCS Manager and look at the logs. In most cases the logs will be in the following folder: C:\Programdata\Symantec.CSM\DPS\*.csv The folder names might have changed due to the newer version, but once verbose logging is turned on, then you will need to sift through the logs to see what is causing the issue. It is possible that there is something being blocked on your target machine. Most of the data is now collected via WMI so you will need to make sure that nothing is blocking that. As Syed had mentioned previously, try to build a query to get the same data as being requested in the check and see if you are successful.
Hope this helps
Thank you for your reply. It turned out that the Windows firewall on the local machine was configured to block things like WMI as you mentioned. I was able to reconfigure and get the scan to work perfectly. I see you mentioned verbose logging, and another response was asking how to turn that on. I think I would have been able to find my firewall issue a little faster if I had this enabled. So my question is the same as the question below. How do you enable verbose logging?
Thanks.
Hi Guys,
How do I turn verbose logging on CCS11?
Thanks in advance
JPontes
Hi,
Please refer to CCS_User_Guide.pdf page 425 and 708 for more clarity.
Thanks,
-Syed Hussain
Basically you need to find the desired config file and edit the XML and find the log level and change it. Here are a couple of links for your reference:
http://www.symantec.com/docs/HOWTO75793
http://www.symantec.com/docs/HOWTO75792
http://www.symantec.com/docs/HOWTO75794
Hope this helps
The links above have good info, although I couldn't figure out two things:
What specific files should I change in CCS 11 to verbose logging the collection an to get the xml response files?
Where do the logs and the response files are stored on CCS11?
Regards
For Application Server:
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application Server
AppserverService.exe.config,
For CCS Manager:
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\DPS
Symantec.CSM.DPS.exe.config
For Directory Server Support
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Directory Support Service
Symantec.CSM.DSS.Service.exe.config
These are all XML files so you will need to look into the text and find where the log levels are set to change how the logs are performing. Most logs can be found here for Windows Server 2008+:
C:\ProgramData\Symantec.CSM\Logs\[folder of service/task]
When you change the log levels the change will be immediate and you will not need to stop/start the given service.
Hope this helps.
Would you like to reply?
Login or Register to post your comment.