This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decoding AutoUpdate Status In Console Errors Table

I want to do some SQL reporting on success and errors for updates to the clients managed by the console as seen here:

Note there is a Code which here varies between 0x00000000 and 0x0000006d. In decimal that's 0 and 109. You can find those code values in the Errors table. But I couldn't find anywhere in the database which translates them to the Description on the right column so you could use them in a report. The closest Sophos webpage is here:

https://community.sophos.com/kb/en-us/120449

But this link is missing codes 0 and 109. Where can we go to find every value of the Code so we could decode it? Here is the DB Query so far. But it's unable to decode these cryptic codes yet so it doesn't work very well so far:

SELECT
    e.*,
    c.Name, c.DomainName, DNSName, IPAddress, IPAddressText, LastLoggedOnUser
FROM
    Errors e
LEFT JOIN
    ComputersAndDeletedComputers c ON e.ComputerID = c.ID
ORDER BY
    e.id ASC;



This thread was automatically locked due to age.
  • Hello Matthew Hall,

    only codes are stored in the database - as SEC supports several languages the console maps the codes to the corresponding texts (for some messages there are inserts, e.g. which components has failed to download or install). The messages are in one (could be several) of the DLLs (don't ask me which, I'm not at work at the moment).
    IIRC additional text elements for other messages are in the Enumerations tables.

    Christian

  • Hello Christian,

    I did find the codes in Enumerations for every other needed report. But I could not find anything for the update codes. Would it be possible to publish an updated accurate table? I'm not sure it would be that easy to get them from the DLLs unless we know which DLL and could see them with a resource editor or something.

    Matthew.

  • These strings, as displayed by EnterpriseConsole.exe come from the loaded module "C:\Program Files (x86)\Sophos\Enterprise Console\RsEng.dll or the appropriate language SEC is launched for.

    If you take the example: "ERROR: Could not find a source for updated packages [0x00000071]",  this will appear in the 'Core' database as just the code sent to the management server by the messaging system, I.e. 113 as the 'Number' column.  The 71 being the hex form of 113 decimal.

    You can see this same code in the clients logs, e.g.:

    Trace(2016-Dec-19 15:04:51): Sending message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID></ID><StringID>113</StringID><Sender>ALUpdate</Sender></ErrorMessage><ReadableMessage>ERROR: Could not find a source for updated packages</ReadableMessage></Config>

    Unfortunately opening the above RsEng.dll in Visual Studio to see the "Strings Table" resource doesn't really help you.  You'll find the string in question and against it another value, e.g. 1150.  This will be defined in a header file I would imagine with another value which finally maps back to the 113 code.

    Without the source code, I think the only way you could extract a table of codes to messages would be, at "runtime" rather than "static" analysis, to keep changing the Number value in the database and see what is reflected back by SEC.  Noting that some of the strings will have % values to denote the insert values which are also in the Errors table as Insert1 to Insert5.

    Hope it helps answer the question even if it doesn't help as such.

    Regards,

    Jak