Endpoint Protection Small Business Edition

Hi guys,

I've been surfing the boards the last couple of days looking for a solution I'm having with SEPM with no luck :(. I've got SEPM and SEP installed on two separate servers. The server that is using SEP sends scheduled reports just fine. The server with SEPM is another story. I've got the email server setup correctly. Both are using the same SMTP server with different Usernames and Passwords. I'm confused as to why I'm able to get emailed reports from SEP but not SEPM. I know the settings are slightly different but I'm completely stumped.

Any suggestions or insight on this matter would be greatly appreciated!

Is the SEPM email server info configured per this document?

Title: 'Email Alerts and Notifications are not generated successfully by the Symantec Endpoint Protection Manager.'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008072315455948

Rather than testing with an EICAR alert, try setting one up for server events, such as failed login to SEPM, then purposely put in the wrong password when logging into the SEPM.

(Is this SEP 11 or SEP Small Business 12?)

sandra

The email server setup is as the document suggests. I've set up the notification for Authentication Failure with no result.

I'm using SEPM V11.

Try removing and re-entering the address you're sending to.  Sometimes that works.  I also found this information:

Advanced logging for the SEPM console can be enabled by:

1. Stop the Symantec Endpoint Protection Manager service
2. Add the line scm.log.loglevel=FINEST and scm.mail.troubleshoot=1 to the bottom of the file:
     C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties
3. Restart the Symantec Endpoint Protection Manager service

Once logging is enabled, search this log for the email address the notification should go to:

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\SecurityNotifyTask.log
-or-
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\catalina.out

If you don't see any errors in this, then you may want to check the mail server logs.

sandra

This was all I was able to find pertaining to the email address that should be receiving the notifications. I had the Authentication Failure notification setup to send to admins@kellysystems.com and failed multiple logins.

2010-08-13 10:11:53.165 INFO: getAdminReciptants from basic_metadata:admins@kellysystems.com
2010-08-13 10:11:53.165 INFO: isMailSettingsChanged:true
2010-08-13 10:11:53.180 INFO: updateMailSettings:true

This was in the SecurityNotifyTask.log. Are there specific errors I need to be looking for?

So if I understand correctly, you attempted to trigger the notification again?  Is there anything in the catalina.out?  Logging is also set to finest per the above?

The actual command to mail appears as "doMail" in the log.  If there's an error in contacting the mailserver or other problems, it should appear somewhere around doMail.

Feel free to attach the log if you like.

sandra

I did a search for the email address in catalina.out but didn't find anything. Here is the log file SecurityNotifyTask-1.log.

Double check the mail server configuration in SEPM....

I've checked the email server on SEPM. I am using the exact same email settings on SEP that is working completely fine.


Here is the "Authentication Failure Notification" settings:

Notification Name: Test
Domain: (Blank)
Server: (Blank)
Failure Type: Occurence on any Server
Notification Condition: 1 Occurence(s) within 1 minute(s)
Damper: Auto

Send email to: admins@kellysystems.com


Thanks for all your help so far guys. Keep the suggestions coming!

You may want to reduce the damper to something other than Auto, which is 60 minutes.

Or, let's try this instead as a test.  I found this in our KB.  Create a new mail event, make sure logging is still enabled.

"Notification Condition: System Event
Severity: Informational and above
Make sure all the boxes are checked
Damper: Auto

Save the notification, log out of the SEPM and restart the SEPM service. This will generate two events (shutdown and startup) in one notification. An email will be sent if it has been configured properly."

If it is not, then the log (the newest one should be SecurityNotifyTask-0.log) will show what happened.

sandra

I repeatedly see things similar to this, suggesting no new events had been recorded:

2010-08-14 09:06:01.842 FINE: outbreak: checking for newly inserted events after last 
  run: 2010-08-14 14:05:01
2010-08-14 09:06:01.842 FINE: select min(A.ALERTDATETIME), max(A.ALERTDATETIME) from ALERTS A 
  where A.ALERTINSERTTIME > ? and A.ALERTINSERTTIME <= ? and A.MOTHER_IDX = '' and A.DELETED = 0 
  and A.ALERT_IDX in (1, 2)
2010-08-14 09:06:01.842 FINE: outbreak: no newly inserted events

What is the exact configuration of the alert itself? 

sandra

I restarted the service and turned it back on. I failed two logins and then logged in correctly. I was looking at the log and saw the Authentication Failure but I still did not get the email.

Here is the most recent securitynotifytask.log.

Here are some screen shots of the notifications as they are set up in SEPM. I restarted the service once again and failed login twice. I logged in correctly and waited 30 minutes before sending the SecurityNotifyTask-0.doc.


I did change the Damper from auto to 20 minutes. Maybe you will see something in here that will get us on the right path.

Thanks for your help thus far.

I do see the reference to the email address.  I am also seeing this:

2010-08-17 14:11:30.619 FINE: authFailure: checking for newly inserted events after last 
  run: 2010-08-17 19:10:44
2010-08-17 14:11:30.619 FINE: select min(S.TIME_STAMP), max(S.TIME_STAMP) from V_SERVER_ADMIN_LOG S 
  where S.TIME_STAMP > ? and S.TIME_STAMP <= ? and S.DOMAIN_ID in ('E076D49F0A00003201B2B450D44DC16E') 
  and S.EVENT_ID = 4098
2010-08-17 14:11:30.619 FINE: authFailure: no newly inserted events

How long before this (14:11) was the failed login?  I suspect that the 14:11:30 is local time (if you're East coast USA) and the 19:10 is GMT (5 hours ahead of East coast USA).

Maybe adjust it so that it's 1 failure within 5minutes (instead of 1).

Did you set up a new alert based on stopping and starting the service (per above) with the debug logging on?  I still wonder about the 60 minute damper, though I would expect at least one alert to go out with an aggregate report.  This just doesn't seem to call up the domail at all to send the mail.

sandra

Okay, I do see this:

2010-08-17 16:12:42.598 FINE: enforcerEvent: checking for newly inserted events after 
last run: 2010-08-17 17:46:17
	2010-08-17 16:12:42.598 FINE: select count(*) from V_ENFORCER_SYSTEM_LOG S where 
S.TIME_STAMP > ? and S.TIME_STAMP <= ?
	2010-08-17 16:12:42.598 FINE: doMail: mail utility can send mail.
	2010-08-17 16:12:42.598 FINE: doMail: MessageAttachment: Message from:
	    Server name: yserver
	    Server IP: 10.0.0.50
	Number of system events detected: 1,591
	System events included:
	Server,
	Replication,
	Backup/Restore,
	Errors.

	2010-08-17 16:12:42.598 FINE: doMail: has hyperlink. 
	2010-08-17 16:12:42.598 FINE: doMail: sFullHyperlink: http://localhost:8014/Reporting/
[snip]
	2010-08-17 16:12:42.598 FINE: PHP login 
	2010-08-17 16:12:42.598 FINE: <?xml version="1.0" encoding="UTF-8"?> <SemLoginInfo 
AdminGUID="AF3C39A10A320801000000DBF200C60A" BaseUSN="0" [snip] 
	2010-08-17 16:12:42.598 FINE: Borrow connection from pool. 
	2010-08-17 16:12:42.614 FINE: Borrow connection from pool. 
	2010-08-17 16:12:42.754 FINE: Return connection to pool.
	2010-08-17 16:12:42.879 FINE: Return connection to pool.
	2010-08-17 16:12:42.879 FINE: Borrow connection from pool.
	2010-08-17 16:12:43.004 FINE: Borrow connection from pool.
	2010-08-17 16:12:43.145 FINE: Return connection to pool.
	2010-08-17 16:12:43.254 FINE: Return connection to pool. 
	2010-08-17 16:12:43.254 FINE: logout Tomcat 
	2010-08-17 16:12:43.270 FINE: Return connection to pool. 
	2010-08-17 16:12:43.270 FINE: ------------ Thread stopped --------------

Is it possible that something on the server, a GPO locking down security for example, is preventing that part of the process from executing?

sandra

We are not using GPeditor to lock down an function on the server. If you could translate the above I may recognize something on the server that would prevent an email from going out.

One thing I did notice. When I go to the "Admin" tab and click "Servers" I see this statement repeatedly: "August 19, 2010 9:02:03 AM CDT. Server returned HTTP response code: 403 for URL: http://localhost: 8014/Reporting/reports/sr-login.php [Site: My Site] [Server: yserver]"

OK.  I have to wonder if this line:

2010-08-17 16:12:42.598 FINE: doMail: sFullHyperlink: [full reporting url snipped]

Is generating the 403 error.

Turn on logging for the Reporting virtual directory in IIS and check the log to get the full HTTP code.  403 generally means forbidden.

sandra

Is there a KB article showing how to do this?

Instead of just pasting the link I'll just paste the instructions.  This is IIS 6.

To turn on logging in IIS

1. In the IIS manager, right-click each site where you wish to have the logs (such as Reporting, Secars, etc.) and click Properties.
2. On the Virtual Directory tab, check Log visits.
3. Click OK.

Be sure to verify in which directory the log is being writtten to (right-click on website (Symantec Web Server, most likely) > Properties > Web Site tab > Next to Enable Logging, Properties > Log file Directory/Log file name for the exact directory name).

If you have IIS 7:

Title: 'How to enable IIS logging in IIS 7.0'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011312541248

sandra

I've done all of that. With that being said what logs do I need to examine?

The IIS log.  Where that is in IIS 6, I noted that above.  For IIS 7, the location is noted in the document referenced above.

Look for "401" and then paste in those lines.  They may look something like this (401 is bolded):

2008-02-12 18:07:10 W3SVC2 127.0.0.1 GET /secars/secars.dll action=34 80 - 127.0.0.1 Java/1.5.0_14 401 1 0

This may also help.

Troubleshooting HTTP 401 errors in IIS
http://support.microsoft.com/kb/907273

sandra

I searched the log files for the past week and didn't find "401". I've attached the log files for the 23rd and 24th.


I'd like to thank you for your help so far. I hope we'll stick with this and find a solution.

Secars is not getting logged
In IIS
Open Web Sites-- Symantec Web Server--Secars--right click --properties--( select )Log Visit

Afer that it will log Secars for Symantec Webserver.

I enabled Secars and it is now showing up in the log.

There are several lines with "401" in them but none that are similar to the example you posted. This upload will be easier than posting the individual lines seeing as they are extremely long.

2010-08-25 00:00:06 W3SVC5 127.0.0.1 POST /Reporting/reports/sr-login.php - 8014 - 127.0.0.1 Java/1.6.0_14 403 6 0

403.6 = IP address rejected.

It looks like it's looking for 127.0.0.1.

This is the only document I can find for this error code.

Title: 'Symantec Endpoint Protection: Error 403 6 while viewing the Internet Information Services (IIS) Log or Error "IP address of the client has been rejected"'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008011505140648

sandra

And that did it! Thanks so much for your help Sandra. I appreciate you sticking with me through this issue.

Once you get the correct log and correct error in the log its easy to find out whats the issue/solution.

Thank you as well for helping me enable Secars in logging.

Glad to hear it, and happy to help!

BTW, you may wish to disable IIS logging or the files may get large :)

sandra