1 2 3 Previous Next 25 Replies Latest reply on Nov 1, 2016 9:17 AM by erikjgr

    Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"

    amenendp

      Hi all,

       

      after upload the extensions for our ATD TIE DXL project, I see too much entries in ePO audit log>

       

      Priority:High
      Action:Notify Agent(s)
      Details:Authorization failed
      Success:Failed

       

      20.000 entries per day.

       

      DXL 2.2.0.226

      TIEsrv 1.3.0.235

      TIEmodule 1.0.1.140

      ATD 3.4.8.1

       

      Disabling ePO server on ATD configuration doesn't solve.

      I'm waiting for Intel Security support... but if anyone have some idea/expertise with this...

       

      Thanks.

        • 1. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
          Troja

          Hi,

          can you please send some more information about the audit.log entry?

          Cheers

          • 2. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
            amenendp

            The events on Audit Log have that information.

            On Orion log i see this:

             

            2016-05-04 10:10:21,226 ERROR [pool-1-thread-47] service.DataChannelMessageServiceInternal  - Error running agent notification command

            com.mcafee.orion.core.auth.AuthorizationException: Authorization failed

              at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1307)

              at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:1037 )

              at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1006)

              at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:856)

              at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:810)

              at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.runNotifyA gentCommand(DataChannelMessageServiceInternal.java:763)

              at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentM essage(DataChannelMessageServiceInternal.java:1019)

              at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentM essage(DataChannelMessageServiceInternal.java:971)

              at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageSe rviceImpl.java:68)

              at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageSe rviceImpl.java:34)

              at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.sendAckMessage(SensorMessag eServiceImpl.java:160)

              at com.mcafee.rsd.datachannel.SensorDataListener.sendAck(SensorDataListener.java:8 0)

              at com.mcafee.rsd.datachannel.SensorDataListener.HandleSensorDataMessage(SensorDat aListener.java:110)

              at com.mcafee.rsd.datachannel.SensorDataListener.messageNotify(SensorDataListener. java:33)

              at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal$MessageNot ifier.run(DataChannelMessageServiceInternal.java:1346)

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

              at java.lang.Thread.run(Thread.java:745)

             

            Thanks.

            • 3. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
              Pmaquoi

              the same for me

               

              Error running agent notification command
              Exception name:com.mcafee.orion.core.auth.AuthorizationException
              Method signature:com.mcafee.orion.core.cmd.CommandInvoker.invoke()
              Extension name :DataChannel
              Exception stack trace:com.mcafee.orion.core.auth.AuthorizationException: Authorization failed at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1270) at com.mcafee.orion.core.cmd.CommandInvoker.invokeCommand(CommandInvoker.java:999) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:968) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:818) at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:772) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.runNotifyA gentCommand(DataChannelMessageServiceInternal.java:762) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentM essage(DataChannelMessageServiceInternal.java:1018) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal.SendAgentM essage(DataChannelMessageServiceInternal.java:970) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageSe rviceImpl.java:68) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.SendMessage(SensorMessageSe rviceImpl.java:34) at com.mcafee.rsd.datachannel.SensorMessageServiceImpl.sendAckMessage(SensorMessag eServiceImpl.java:160) at com.mcafee.rsd.datachannel.SensorDataListener.sendAck(SensorDataListener.java:8 0) at com.mcafee.rsd.datachannel.SensorDataListener.HandleSensorDataMessage(SensorDat aListener.java:110) at com.mcafee.rsd.datachannel.SensorDataListener.messageNotify(SensorDataListener. java:33) at com.mcafee.epo.dataChannel.service.DataChannelMessageServiceInternal$MessageNot ifier.run(DataChannelMessageServiceInternal.java:1345) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
              • 4. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                Daveb3d

                DXL development team is aware and looking into it. Disabling the DXL extension stops it, but that isn't exactly a solution. 


                Dave

                • 5. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                  amenendp

                  Yes I know, but it's not a solution. If it's useful, while we wait for a McAfee/Intel answer, we have enabled a SQL query to remove this events.

                  • 6. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                    Daveb3d

                    I am with you.  As I said, they are working on it.   We've been dealing with it for a while and our issue is escalated on up.  I'll see if I can get some more details on the status from the dev team.

                     

                    Dave

                    • 7. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                      georgi_ar

                      Same issue here.

                      Could you share any info when McAfee get back to you?

                      • 8. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                        Pmaquoi

                        the same for me. still awaiting info from mcafee

                        • 9. Re: Too much ePO Audit Log entries "Notify Agent(s) / Authorization failed"
                          Daveb3d

                          Hey guys.  My apologies for not updating.  The issue stems from intermixing 1.x DXL clients into the 2.x environment.  Just get all of your DXL clients to updated to the 2.x agent and you should be good.  This is a good idea anyway as the latest update resolves some important issues.   

                           

                          Dave

                          1 2 3 Previous Next