Hi,
We have a number of unmanaged machines that have suddenly doubled lately. A large number of these machines appear to have sophos installed, fully working an updating yet appear to be greyed out on the SEC
At a loss what it can be.
Hello pdturbo80,
if the computer is new, i.e. previously not seen, and has recently joined the domain then the (new) unmanaged object is expected. If Sophos is correctly installed the endpoint should eventually appear as managed - if nit this suggests some RMS issue. The Router logs from the endpoint should have a hint.
If it's a known computer someone must have deleted it from the console, but whether sync would create a new unmanaged object depends. Anyway, RMS would be the starting point to check.
Christian
Hi,
Machine has been on the network for a while now, not a new machine. I looked into the RMS folder and the log files pretty much say the following daily
19.03.2018 09:18:38 30AC I Calling parent with heartbeat...
19.03.2018 09:18:39 30AC I Heartbeat to parent succeeded.
19.03.2018 09:37:36 5DEC I RouterSystemCheck::onInfoPortsUsed() - number of user ports 171, max number of user ports 3976
19.03.2018 10:37:37 5DEC I RouterSystemCheck::onInfoPortsUsed() - number of user ports 189, max number of user ports 3976
19.03.2018 11:37:37 5DEC I RouterSystemCheck::onInfoPortsUsed() - number of user ports 198, max number of user ports 3976
19.03.2018 12:37:37 5DEC I RouterSystemCheck::onInfoPortsUsed() - number of user ports 185, max number of user ports 3976
19.03.2018 12:53:27 30AC I Calling parent with heartbeat...
Hello pdturbo80,
trying to interpret this snippet - the endpoint does talk to a management server but it looks like it doesn't have to say much but it is not unusual that a four hour interval passes without exiting events. Nevertheless the endpoint must have registered with the console and therefore should appear as managed.
I assume there's no other management server the endpoint could be talking to. If you restart the Sophos Message Router service a new log is written, it will show the connection establishment and whether messages are sent upstream.
Christian
Thanks Christian. I have restarted the RMS on one of the problem machines and the log files output is as follows
23.03.2018 14:17:33 3100 I SOF: C:\Documents and Settings\All Users\Application Data/Sophos/Remote Management System/3/Router/Logs/Router-20180323-141733.log
23.03.2018 14:17:33 3100 I Sophos Messaging Router 4.1.1.127 starting...
23.03.2018 14:17:33 3100 I Setting ACE_FD_SETSIZE to 138
23.03.2018 14:17:33 3100 I Initializing CORBA...
23.03.2018 14:17:33 3100 I Connection cache limit is 10
23.03.2018 14:17:33 3100 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
23.03.2018 14:17:33 3100 I Creating ORB runner with 4 threads
23.03.2018 14:17:33 3100 I Compliant certificate hashing algorithm.
23.03.2018 14:17:33 3100 I This computer is part of the domain MICKEYMOUSE
23.03.2018 14:17:33 3100 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000d00000031302e34342e32382e313532000001204100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f7574657200000003000000000000000800000001435a01004f4154010000001800000001435a01010001000100000001000105090101000000000014000000080000000143a60086000220
23.03.2018 14:17:33 3100 I Successfully validated this router's IOR
23.03.2018 14:17:33 3100 I Reading router table file
23.03.2018 14:17:33 3100 I Host name: ca******
23.03.2018 14:17:33 3100 I Local IP addresses: *.*.*.*
23.03.2018 14:17:33 3100 I Resolved name: ca*******.up.com
23.03.2018 14:17:33 3100 I Resolved alias/es:
23.03.2018 14:17:33 3100 I Resolved IP addresses: *.*.*.*
23.03.2018 14:17:33 3100 I Resolved reverse names/aliases: ca*******.up.com
23.03.2018 14:17:33 3100 I Waiting for messages...
23.03.2018 14:17:33 0904 I Getting parent router IOR from *.*.*.*:8192
23.03.2018 14:17:33 3100 I RouterSystemCheck::onInfoPortsUsed() - number of user ports 56, max number of user ports 3976
23.03.2018 14:17:33 0904 I Received parent router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d657373616765526f757465723a312e300000000100000000000000a4000000010102000c00000031302e34342e32382e373500012000004100000014010f004e5550000000210000000001000000526f6f74504f4100526f7574657250657273697374656e740003000000010000004d657373616765526f757465720000000300000000000000080000000100d900004f415401000000180000000100d900010001000100000001000105090101000000000014000000080000000100a60086000220
23.03.2018 14:17:33 0904 I Successfully validated parent router's IOR
23.03.2018 14:17:33 0904 I Accessing parent
23.03.2018 14:17:33 0904 I SSL handshake done, local IP address = *.*.*.*
23.03.2018 14:17:33 0904 I Parent is Router$SERVERNAME
23.03.2018 14:17:34 0904 I RouterTableEntry::LogonToParentRouter() - logging on as active consumer
23.03.2018 14:17:34 0904 I RouterTableEntry state (router, logging on): Router$SERVERNAME is passive consumer, passive supplier
23.03.2018 14:17:34 0904 I Logged on to parent router as Router$ca******:568065
23.03.2018 14:17:34 0904 I This computer is part of the domain MICKEYMOUSE
Still showing as Unmanaged :(
Peter
Hello Peter,
definitely ok. As said, this should result in ca****** (unless ComputerNameOverride has been used) appearing in the console in whatever group.
There are likely Sent messages with .EM as destination, there should be corresponding messages in the server's Router log. The cbonsole is receiving and processing messages (simply to check by displaying all computers, tab Computer Details sorting by Last message time)? Once or twice I had to restart the management services (does no harm to restart the SQL server as well if it's local) because something had gotten stuck.
Christian
