Symantec IT Risk and Compliance Product Group

 View Only

  • 1.  Check Status as "Unknown"

    Posted Mar 02, 2012 05:08 PM

    Hello All,

    I'm running an evaluation of some Windows 2008 machines against the CIS Windows Server 2008 Benchmark and noticed a large amount of results with status "unknown" (instead of pass/fail), specially those ones telated to "Audit Policy". It seems like the collection mechanism cannot find or access the values, but I know they are actually there (ie.: registry, secpol, auditpol.exe, etc...) I'm running an agentless collection and using domain admin credentials.

    Does anybody has observed the same?

    Regards



  • 2.  RE: Check Status as "Unknown"

    Posted Mar 03, 2012 07:10 AM

    Hi,

    Did you tried running the same checks from chosing same data source from RMS console pointing to the same server in a domain? if yes do you see the results or does it throws any error message?



  • 3.  RE: Check Status as "Unknown"

    Posted Jul 10, 2012 09:18 AM

    I know this is a little old. Wondering if anyone had a fix.

    I run the same evaluation with the same setup as above on Windows Server operating systems, and everything works fine. When I run an evaluation against a Windows 7 machine, (Windows 7 CIS Security Benchmark)  I get a large portion (46%%) unknown. And it is not detecting the changes in the policy on the Windows 7 machine to correct failures either, even though I can log in to the machine and see the changes have been made, they are still flagged as "Fail" in the evaluation.

    I am using CCS 11, and a domain admin account as Windows Credentials. I have verified that the credentials work without issue on the Windows 7 machine.

    Thanks...



  • 4.  RE: Check Status as "Unknown"

    Posted Jul 10, 2012 03:40 PM

    Unknown status can come from many different conditions.   You will most likely need to look into the data collection job and see what messages are being reported.  In addition to that you may need to turn on verbose logging on the CCS Manager and look at the logs.  In most cases the logs will be in the following folder:  C:\Programdata\Symantec.CSM\DPS\*.csv   The folder names might have changed due to the newer version, but once verbose logging is turned on, then you will need to sift through the logs to see what is causing the issue.  It is possible that there is something being blocked on your target machine.  Most of the data is now collected via WMI so you will need to make sure that nothing is blocking that.   As Syed had mentioned previously, try to build a query to get the same data as being requested in the check and see if you are successful.

    Hope this helps



  • 5.  RE: Check Status as "Unknown"

    Posted Jul 20, 2012 12:23 PM

    Hi Guys,

    How do I turn verbose logging on CCS11?

    Thanks in advance

    JPontes



  • 6.  RE: Check Status as "Unknown"

    Posted Jul 20, 2012 12:43 PM

    Thank you for your reply. It turned out that the Windows firewall on the local machine was configured to block things like WMI as you mentioned. I was able to reconfigure and get the scan to work perfectly. I see you mentioned verbose logging, and another response was asking how to turn that on. I think I would have been able to find my firewall issue a little faster if I had this enabled. So my question is the same as the question below. How do you enable verbose logging?

    Thanks.



  • 7.  RE: Check Status as "Unknown"

    Posted Jul 20, 2012 12:56 PM
      |   view attached

    Hi,

    Please refer to CCS_User_Guide.pdf page 425 and 708 for more clarity.

     

    Attachment(s)

    pdf
    CCS_User_Guide.pdf   13.75 MB 1 version


  • 8.  RE: Check Status as "Unknown"

    Posted Jul 20, 2012 03:37 PM

    Basically you need to find the desired config file and edit the XML and find the log level and change it.  Here are a couple of links for your reference:

    http://www.symantec.com/docs/HOWTO75793

    http://www.symantec.com/docs/HOWTO75792

     http://www.symantec.com/docs/HOWTO75794

    Hope this helps



  • 9.  RE: Check Status as "Unknown"

    Posted Jul 21, 2012 04:15 PM
    The links above have good info, although I couldn't figure out two things: What specific files should I change in CCS 11 to verbose logging the collection an to get the xml response files? Where do the logs and the response files are stored on CCS11? Regards


  • 10.  RE: Check Status as "Unknown"
    Best Answer

    Posted Jul 31, 2012 03:48 PM

    For Application Server:

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application Server

           AppserverService.exe.config,

    For CCS Manager:

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\DPS

         Symantec.CSM.DPS.exe.config

    For Directory Server Support

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Directory Support Service

         Symantec.CSM.DSS.Service.exe.config

    These are all XML files so you will need to look into the text and find where the log levels are set to change how the logs are performing.  Most logs can be found here for Windows Server 2008+:

    C:\ProgramData\Symantec.CSM\Logs\[folder of service/task]

    When you change the log levels the change will be immediate and you will not need to stop/start the given service.

    Hope this helps.