1 Reply Latest reply on Feb 4, 2014 12:38 AM by meforum

    audit records created for "The user was not authorized to access the requested URL /core/handleHttpError.do (displayed in ePO A"

    langer

      The audit record entry says  "user was not authorized to access therequested URL /core/handleHttpError.do" is (displayed in ePO Audit Log) .is filling up my database with some 3 million entries per day. Its killing my database.

       

      I contacted Platnium Support about the issues and below is the conversation:

       

      From: McAfee Platnium Support
      Sent: Monday, February 03, 2014 11:33 AM
      Subject: 4-5007960769 The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      Thank you for contacting the McAfee Platinum Support. My name is XXXXX XXXX and I will be working with you to answer your questions andresolve this issue.

      This email is regarding case xxxxxxxxxxxx

      Initial Problem: The entry  "user was notauthorized to access the requested URL /core/handleHttpError.do" is(displayed in ePO Audit Log) . filling up my database.

      Possible Solution: Bob this issue is explained in http://kc.mcafee.com/agent/index?page=content&id=KB71458and will likely be resolved in a future release of the product,  to change it in the current version of the product has been deemed by engineering to be a product enhancement request.

       


      Sent: Monday, February 03, 2014 10:38 AM
      To: Platnium Support
      Subject: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      Thank you  for the email

      What release has this been fixedin. It is creating millions of line entries in my audit table and makes it very hard to search for important data that I am scanning for.

       

      From: P support
      Sent: Monday, February 03, 2014 11:46 AM
      Subject: RE:  The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      I do not have any specifics inwhich release it will be corrected, not in 5.0 or 5.1.

       

      P support

       

       

      From: Lange, Robert
      Sent: Monday, February 03, 2014 10:51 AM
      To: P Support
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      So  .. you are telling me that I am suppose to just live with the millions of records being created and filling up my database?

      Where are these being generated from … is there something I can turn off or turn on or adjust?

       

      Regards

      Me

       

      From: P Support
      Sent: Monday, February 03, 2014 12:09 PM
      To: Lange
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      It looks like the resolution is deferred to 5.2

       

      “Referral candidate:pre-existing; depends on new feature (ability to use unauthenticated errorpage, which is slated for 5.2 [Cloud] release).”

       

      The error is generated by anattempt to access a non-existent URL on the ePO server we want to capture andlog the messages since hackers are the ones who will probe the server lookingfor "chinks in the armor" by entering random paths. Admins will wantto know that this is happening, and if we eat these audit messages, admins willnot know they are being probed.

       

      You can filter the log to findwhat you are looking for.

       

      P support

       

       

      From: Lange,
      Sent: Monday, February 03, 2014 11:18 AM
      To: P support
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      I realize one can use the filter.


      I might believe this rhetoric but If I click on an event I get no results,findings, or information which leads me to believe this is a false positive andnot important information because one cannot display, report on or query thistype of information for any type of analysis.  I don’t understand how youcan say I want this information if I cannot even extract useful data from theaudit record.

       

      Regards:

      ME

       

       

      From: P support
      Sent: Monday, February 03, 2014 1:14 PM
      To: Lange,
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      Bob

       

      I’m just reporting the outcomeof the research that led to the published article.

       

      P support

       

       

      From: Lange,
      Sent: Monday, February 03, 2014 12:20 PM
      To: P support
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      I can understand that but can you understand why as an ePO admin I am trying to determine why I have over 3 million entries a day into my database that has no important information to help me with solving issues except slowing down and filling up my database.

       

      Regards:

      ME

       

      From: P support
      Sent: Monday, February 03, 2014 1:23 PM
      To: Lange,
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

      Bob

       

      I feel your pain. I just don’thave any traction to ease it. Product management has decided what they aregoing to do.

       

      P support

       

       

       

       

      From: Lange,
      Sent: Monday, February 03, 2014 1:29 PM
      To: P support
      Subject: RE: The user was not authorized to access therequested URL /core/handleHttpError.do (displayed in ePO A

       

       

      I would think that somebody…somewhere in the wide world of Intel security would know something about how itis generated, and how to at least shut it down until they can fix it. So no oneanywhere has done any research or has any type of work around to stop thebleeding??


      I have a hard time accepting being a platinum support client receiving a commonanswer that one would receive from the OTC customer support site.

       

      This is killing my database andperformance… what does TIER III say about this issue??

       

      Regards:

      ME