cancel
Showing results for 
Search instead for 
Did you mean: 
amenendp
Level 10

Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Hi all,

after upload the extensions for our ATD TIE DXL project, I see too much entries in ePO audit log>

Priority:High
Action:Notify Agent(s)
Details:Authorization failed
Success:Failed

20.000 entries per day.

DXL 2.2.0.226

TIEsrv 1.3.0.235

TIEmodule 1.0.1.140

ATD 3.4.8.1

Disabling ePO server on ATD configuration doesn't solve.

I'm waiting for Intel Security support... but if anyone have some idea/expertise with this...

Thanks.

1 Solution

Accepted Solutions
amenendp
Level 10

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Have you Rogue Sensors?

Our problem was solved with a packet and instructions provided by Support RDS 5.0.4 ONLY TO SUPPORT.

The explanation was:

"DXL adds functionality to ePO to allow agent wakeup calls to occur over DXL instead of the McAfee agent. Certain point products appear to be using a deprecated API call when making those wakeup calls (RSD/EEPC). These bad API calls are generating this error.

- The RSD update we released addresses the issue from the RSD perspective."

I hope it will be useful for you.

25 Replies
Troja
Level 14

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Hi,

can you please send some more information about the audit.log entry?

Cheers

amenendp
Level 10

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

The events on Audit Log have that information.

On Orion log i see this:

2016-05-04 10:10:21,226 ERROR [pool-1-thread-47] service.DataChannelMessageServiceInternal  - Error running agent notification command

com.mcafee.orion.core.auth.AuthorizationException: Authorization failed

  at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1307)

  at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:1037)

  at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1006)

  at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:856)

  at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:810)

  at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.runNotifyAgentCommand(DataChannelMessageServiceInternal.java:763)

  at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentMessage(DataChannelMessageServiceInternal.java:1019)

  at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentMessage(DataChannelMessageServiceInternal.java:971)

  at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageServiceImpl.java:68)

  at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageServiceImpl.java:34)

  at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.sendAckMessage(SensorMessageServiceImpl.java:160)

  at com.mcafee.rsd.datachannel.SensorDataListener.sendAck(SensorDataListener.java:80)

  at com.mcafee.rsd.datachannel.SensorDataListener.HandleSensorDataMessage(SensorDataListener.java:110)

  at com.mcafee.rsd.datachannel.SensorDataListener.messageNotify(SensorDataListener.java:33)

  at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal$MessageNotifier.run(DataChannelMessageServiceInternal.java:1346)

  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

  at java.lang.Thread.run(Thread.java:745)

Thanks.

0 Kudos
Pmaquoi
Level 10

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

the same for me

Error running agent notification command
Exception name:com.mcafee.orion.core.auth.AuthorizationException
Method signature:com.mcafee.orion.core.cmd.CommandInvoker.invoke()
Extension name :DataChannel
Exception stack trace:com.mcafee.orion.core.auth.AuthorizationException: Authorization failed at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1270) at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:999) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:968) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:818) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:772) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.runNotifyAgentCommand(DataChannelMessageServiceInternal.java:762) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentMessage(DataChannelMessageServiceInternal.java:1018) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentMessage(DataChannelMessageServiceInternal.java:970) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageServiceImpl.java:68) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageServiceImpl.java:34) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.sendAckMessage(SensorMessageServiceImpl.java:160) at com.mcafee.rsd.datachannel.SensorDataListener.sendAck(SensorDataListener.java:80) at com.mcafee.rsd.datachannel.SensorDataListener.HandleSensorDataMessage(SensorDataListener.java:110) at com.mcafee.rsd.datachannel.SensorDataListener.messageNotify(SensorDataListener.java:33) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal$MessageNotifier.run(DataChannelMessageServiceInternal.java:1345) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Daveb3d
Level 9

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

DXL development team is aware and looking into it. Disabling the DXL extension stops it, but that isn't exactly a solution. 


Dave

amenendp
Level 10

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Yes I know, but it's not a solution. If it's useful, while we wait for a McAfee/Intel answer, we have enabled a SQL query to remove this events.

0 Kudos
Daveb3d
Level 9

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

I am with you.  As I said, they are working on it.   We've been dealing with it for a while and our issue is escalated on up.  I'll see if I can get some more details on the status from the dev team.

Dave

0 Kudos
georgi_ar
Level 9

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Same issue here.

Could you share any info when McAfee get back to you?

0 Kudos
Pmaquoi
Level 10

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

the same for me. still awaiting info from mcafee

0 Kudos
Daveb3d
Level 9

Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

Jump to solution

Hey guys.  My apologies for not updating.  The issue stems from intermixing 1.x DXL clients into the 2.x environment.  Just get all of your DXL clients to updated to the 2.x agent and you should be good.  This is a good idea anyway as the latest update resolves some important issues.   

Dave