Symantec IT Risk and Compliance Product Group

 View Only
  • 1.  Check Status as "Unknown"

    Broadcom Employee
    Posted Mar 02, 2012 05:08 PM

    Hello All,

    I'm running an evaluation of some Windows 2008 machines against the CIS Windows Server 2008 Benchmark and noticed a large amount of results with status "unknown" (instead of pass/fail), specially those ones telated to "Audit Policy". It seems like the collection mechanism cannot find or access the values, but I know they are actually there (ie.: registry, secpol, auditpol.exe, etc...) I'm running an agentless collection and using domain admin credentials.

    Does anybody has observed the same?


  • 2.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Mar 03, 2012 07:10 AM


    Did you tried running the same checks from chosing same data source from RMS console pointing to the same server in a domain? if yes do you see the results or does it throws any error message?

  • 3.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 10, 2012 09:18 AM

    I know this is a little old. Wondering if anyone had a fix.

    I run the same evaluation with the same setup as above on Windows Server operating systems, and everything works fine. When I run an evaluation against a Windows 7 machine, (Windows 7 CIS Security Benchmark)  I get a large portion (46%%) unknown. And it is not detecting the changes in the policy on the Windows 7 machine to correct failures either, even though I can log in to the machine and see the changes have been made, they are still flagged as "Fail" in the evaluation.

    I am using CCS 11, and a domain admin account as Windows Credentials. I have verified that the credentials work without issue on the Windows 7 machine.


  • 4.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 10, 2012 03:40 PM

    Unknown status can come from many different conditions.   You will most likely need to look into the data collection job and see what messages are being reported.  In addition to that you may need to turn on verbose logging on the CCS Manager and look at the logs.  In most cases the logs will be in the following folder:  C:\Programdata\Symantec.CSM\DPS\*.csv   The folder names might have changed due to the newer version, but once verbose logging is turned on, then you will need to sift through the logs to see what is causing the issue.  It is possible that there is something being blocked on your target machine.  Most of the data is now collected via WMI so you will need to make sure that nothing is blocking that.   As Syed had mentioned previously, try to build a query to get the same data as being requested in the check and see if you are successful.

    Hope this helps

  • 5.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 20, 2012 12:23 PM

    Hi Guys,

    How do I turn verbose logging on CCS11?

    Thanks in advance


  • 6.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 20, 2012 12:43 PM

    Thank you for your reply. It turned out that the Windows firewall on the local machine was configured to block things like WMI as you mentioned. I was able to reconfigure and get the scan to work perfectly. I see you mentioned verbose logging, and another response was asking how to turn that on. I think I would have been able to find my firewall issue a little faster if I had this enabled. So my question is the same as the question below. How do you enable verbose logging?


  • 7.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 20, 2012 12:56 PM
      |   view attached


    Please refer to CCS_User_Guide.pdf page 425 and 708 for more clarity.



    CCS_User_Guide.pdf   13.75 MB 1 version

  • 8.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 20, 2012 03:37 PM

    Basically you need to find the desired config file and edit the XML and find the log level and change it.  Here are a couple of links for your reference:

    Hope this helps

  • 9.  RE: Check Status as "Unknown"

    Broadcom Employee
    Posted Jul 21, 2012 04:15 PM
    The links above have good info, although I couldn't figure out two things: What specific files should I change in CCS 11 to verbose logging the collection an to get the xml response files? Where do the logs and the response files are stored on CCS11? Regards

  • 10.  RE: Check Status as "Unknown"
    Best Answer

    Broadcom Employee
    Posted Jul 31, 2012 03:48 PM

    For Application Server:

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application Server


    For CCS Manager:

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\DPS


    For Directory Server Support

    X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Directory Support Service


    These are all XML files so you will need to look into the text and find where the log levels are set to change how the logs are performing.  Most logs can be found here for Windows Server 2008+:

    C:\ProgramData\Symantec.CSM\Logs\[folder of service/task]

    When you change the log levels the change will be immediate and you will not need to stop/start the given service.

    Hope this helps.