Video Screencast Help

Why do I have multiple instances of the same hostname in SEPM 11?

Created: 07 Sep 2012 • Updated: 26 Sep 2012 | 8 comments
This issue has been solved. See solution.

I'm pulling some reports in SEPM 11 and while doing so I've realized that there are multiple entries within SEP for the same machine name.  Has anyone else experienced this?  If so, do you know why this happens?  And how to resolve it?

 

Thanks,

Mike

Comments 8 CommentsJump to latest comment

Ashish-Sharma's picture

hi,

are you using image OS ?

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console

http://www.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

There are few duplicate entries related issues are fixed in recent SEP version. Could you pleaes confirm SEPM version?

Risk event compression causes duplicate entries in Symantec Endpoint Protection Manager external logging
Fix ID: 1917948
Symptom: Compressed alert logs are sent out again following 'Summarized data'.
Solution: Compressed alert logs are filtered. Only the summary alert will be sent out.
 
Multiple event reinsertions to Symantec Endpoint Protection Manager database
Fix ID: 1907365
Symptom: A client may forward the same local events (scans, virus detections, definition updates, etc.) to the Symantec Endpoint Protection Manager server again, resulting in two or more copies of the same event in the database. These events have the exact same date/time as the original events, but because they are forwarded at a different time, the Database Insert timestamp is different. These duplicate events skew the presentation of logs and reports in the Console, and may cause unnecessary alerts and notifications.
Solution: Resolved the internal bookkeeping errors that caused clients to forward the same events to Symantec Endpoint Protection Manager repeatedly.
 

Symantec Endpoint Protection Manager sends old entries to external log server
Fix ID:
2392317/2366479
Symptom: The Symantec Endpoint Protection Manager sends old entries to external log server. This results in duplicate log entries on the external log server.
Solution: Symantec Endpoint Protection Manager now properly tracks when logs are sent to the external log server to resolve this issue.

Reference: http://www.symantec.com/business/support/index?page=content&id=TECH103087&key=54619

 

 

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

sandra.g's picture

Another possibility: if you're using User Mode rather than Computer Mode for your clients (common for Active Directory integration), then if several users use the same computer, that hostname will appear more than once.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

rs_cert's picture

I agree with Ashish. This issue is occuring because of symantec installation running through Image Disk.

You can delete the same extra entry and for the feature use the image disk but remove the H/W entry before making the IMAGE Disk

Use the below step

Click on Start button -> Run -> Smc  –stop     Than Press Enter

Enter the Password (*****) to stop the Service

Go to Below Registry path and delete the entry of HardwareID
Path - HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID.

Delete the “sephwid.xml” file from below path

Path - C:\Program Files\Common Files\Symantec Shared\HWID

NOTE: The registry value HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\SySoftk may also need to be deleted if present.

Once the image is applied to a new system, the client will generate a unique id value, check in with its SEPM and register. During the registration process the SEPM will register all necessary client information into the database.

This value will regenerate automatically when the next time client loads.

 

 

SOLUTION
Ashish-Sharma's picture

Hi SEP_FMI,

Any update on this ?

If you have received solution please don't forgot mark as solution please comments help you.

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

What verson of 11.x are you running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Just a quick note: on the latest releases of SEP 12.1 (SEP 12.1 RU1 and above) there are several enhancements that really deal well with multiple Hardware ID's (the cause of duplicate entries in the SEPM).  If you are in the position to upgrade to SEP 12.1, I recommend it!

Duplicate client entries showing in the SEPM console after cloning an endpoint
Fix ID: 2436935
Symptom: After cloning an endpoint, each clone shows in SEPM with two entries. One entry shows the client as offline, and one is online.
Solution: Resolved by changes to the client recognition logic. The "hardware ID" and "known client ID" values are now handled differently within SEPM to ensure that clients are correctly recognized by the Manager.
 

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients
http://www.symantec.com/business/support/index?page=content&id=TECH163349

With thanks and best regards,

Mick