1 Reply Latest reply on Mar 1, 2011 6:14 AM by hithrog

    Events from Linux Shield not being logged in database

      I'm in the process of configuring an ePO 4.0.2 server, and have got Windows clients running agent 3.6.0.574 running OK. They are updating their DAT files, running on demand scans, and reporting events back as expected.

      I'm now adding some RH Linux systems, with agent version 4.0.0.1298 and Linux Shield version 1.5.1. They are correctly reporting information about themselves, and I am able to push out policies and tasks to them. They update their DAT files correctly, and run scheduled tasks. On-access scanning is now working, once I got the kernel-devel package installed. All OK.

      However when I trigger an event on them, using the eicar test virus, the event is not properly being reported in ePO. I have tracked the events through, and they are being generated on the client, and uploaded to the server. (Automated email notification direct from the client is also working correctly). The logs on the server do not show any error.

      Configuring a notification rule for any Linux Shield events is working correctly. This sends me an email, and looking in the notification log, the event shows up correctly.

      The problem is that the event does not seem to be stored in the database. None of the pre-configured queries show that event - they do show events for Windows system. Running a custom query for event ID 1270 - the ID confirmed by the notification log - does not return anything.

      I have tried removing and re-adding the Linux Shield reports extension that came as part of the Linux Shield package. It shows version 1.0.150 as installed. I have also tried removing the extension, stopping ePO, renaming the directory the DLL was in under plugins, and restarting epO. This does not seem to have had any effect - the events are still not stored.

      Anyone have any other suggestions I could try here?

      Thanks

      NB