7 Replies Latest reply on Sep 24, 2012 11:47 AM by redbeardrc

    Update Agent Clears Threat Events

    soviatt

      Not cool. I don't know if this has always been the norm as I've only gone through one patch update, but by deploying (updating) to VSE 8.8.0.975 P2 I find that I am also clearing out my threat event history on every computer I update. Again, I say, "NOT COOL".

       

      Does anyone know a way to circumvent, or do I just take a deep breath, collect my logs before patching (NOT COOL) and deal with it. ?

        • 1. Re: Update Agent Clears Threat Events
          petersimmons

          Could you be specific on the behavior? ePO captures all the threat events and they don't go anywhere unless you purge them. Perhaps you're seeing something I don't see. Let us know and we'll try to help.

          • 2. Re: Update Agent Clears Threat Events
            soviatt

            On any desktop (so far) that I push the agent update to, regardless of the current version of the agent running on any desktop, the threat event log is completelt cleared. It's as though it's a new install. For instance, if I am running agent 4.6.2292 on a desktop and I update to agent version 4.6.2935 (latest version) the update will leave me with a blank threat event log.

             

            BTW I manage two domains with ePO (separate installs) and they both exibit this behavior

             

            Message was edited by: soviatt on 9/19/12 5:21:06 PM CDT
            • 3. Re: Update Agent Clears Threat Events
              petersimmons

              Do you mean the log stored here?

               

              oas_log.png

               

              That data is considered disposable if you have a managed agent because ePO captures it all. The raw events are stored with the agent until it checks in the next time. Why bother with that when ePO stored up every entry for you across all your machines?

               

              (I have to admit to taking 7+ minutes to remember where the heck that directory was located. I'm normally fetch data directly from ePO.)

               

              Or do you mean this?

               

              threat_log.png

              • 4. Re: Update Agent Clears Threat Events
                soviatt

                I had to look! I tried it again on a system with significant logs. First I copied the actual desktop folders as backup then ran the agent update. The desktop logs remained untouched but the ePO logs are cleared. So in reference to your posted screen shots it is the second threat log that is cleared. I'm glad you brought that up too as I'm relived to at least still have the data, although annoyed that I can't use ePO to see it.

                • 5. Re: Update Agent Clears Threat Events

                  It sounds like when you upgraded you did a forced install. If so, the updated agent will have an new GUID. The event log in the ePO database is cross referenced to the GUID, not the machine name. The events are still there, but the association of the events to that machine is now broken because the GUID has changed. To re-associate them you'd need to do it in SQL by setting all the events with that machine name to contain the new GUID.

                  • 6. Re: Update Agent Clears Threat Events
                    soviatt

                    That sounds like a reasonable explaination rebeardrc. Yes, the deployments I've made have been "forced" and I had no idea it would change the GUID. I can do perform some more of these and verify that theory. It's not worth the trouble to go through the re-association as I've found that the logs remain intact on the machine itself. I should be able to test this later today.....

                    • 7. Re: Update Agent Clears Threat Events

                      Please note that this will also affect reports. For example, if you run a report such as threats per operating system, you will find that you will get hits again a blank (unknown) OS because ePO can't tie the event back to a machine any longer to obtain what OS was envolved.