Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 11142 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event ID 5154 and Sophos Patch

Peanut

Hi,

I anm receiving the following warnings both in the servers application log file as well as the Patch Endpoint Communicator log file.

2014-07-22 14:15:19 | PID   1492 | TID     18 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:15:34 | PID   1492 | TID     31 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:15:50 | PID   1492 | TID     31 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"b12c6df8-e4ba-4fb9-b37f-6d47a5a87a7c"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:18:38 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:18:53 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

2014-07-22 14:19:08 | PID   1492 | TID     32 | ID:  5154 | Severity:       warn | Signature validation failed..Context: "v101/registration/" Agent Version:"1.0.307.0", Agent Info:"3dc3fdfe-bebf-4723-aab7-2f73bc31a963"-- Evidence -- -- Evidence At Publish --

As you can see, the Agent info changes every three warnings.

How can I stop these warnings from occuring?

Server is 2008R2 with a local database. Enterprise console is running at version 5.1.0.1839

Regards

Chris G.

:52044


This thread was automatically locked due to age.
Parents
  • 0

    Hello Chris,

    good question. I remember vaguely a similar but definitely not identical issue, quite some time ago during a Beta. Can't say how to stop these warnings (I will later suggest that you contact Support and please follow up here if you've been able to solve the problem :smileywink:) but I'll try to explain what it's about and what the consequences are.

    The Patch Agent (spa.exe) on the endpoint has to submit the patch assessment results to the server. Before doing so it has to register with the server. If an attempt fails it's immediately retried two times and then the registration is rescheduled for 15 minutes later. You'll find the corresponding entries in the endpoint's logs in ...\Sophos Patch Agent\Logs\. The value in Agent Info (also held in a registry key) should correspond to the Identitytag in the database and the Machine_ID.txt in ...\Autoupdate\[data\]. From here it would be just guesswork (like assuming that registration fails because another endpoint has already registered with the same AgentID ...). But anyway, these clients will not be able to send their PA results to SEC.

    Did I already suggest to contact Support? The logic involved (both on the endpoint and in SEC) is not immediately obvious from the database and the logs so I can't tell what is required to remedy this situation.

    Christian

    :52076
Reply
  • 0

    Hello Chris,

    good question. I remember vaguely a similar but definitely not identical issue, quite some time ago during a Beta. Can't say how to stop these warnings (I will later suggest that you contact Support and please follow up here if you've been able to solve the problem :smileywink:) but I'll try to explain what it's about and what the consequences are.

    The Patch Agent (spa.exe) on the endpoint has to submit the patch assessment results to the server. Before doing so it has to register with the server. If an attempt fails it's immediately retried two times and then the registration is rescheduled for 15 minutes later. You'll find the corresponding entries in the endpoint's logs in ...\Sophos Patch Agent\Logs\. The value in Agent Info (also held in a registry key) should correspond to the Identitytag in the database and the Machine_ID.txt in ...\Autoupdate\[data\]. From here it would be just guesswork (like assuming that registration fails because another endpoint has already registered with the same AgentID ...). But anyway, these clients will not be able to send their PA results to SEC.

    Did I already suggest to contact Support? The logic involved (both on the endpoint and in SEC) is not immediately obvious from the database and the logs so I can't tell what is required to remedy this situation.

    Christian

    :52076
Children
No Data
Unfiltered HTML