This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

the main server was damaged and was not performed a backup server, what should I do to restableser the SEC information to a new server?

Hello and good afternoon, today I present this problem, the main server was damaged and was not performed a backup server.

What it could do was, a backup of the entire RAID server, what should I do to restableser the SEC information to a new server?

I do not want to lose all the Consolan Informacio are more than 1000 endpoint!

Thank you.



This thread was automatically locked due to age.
Parents
  • Hello richar gabrielalvarez gonzalez,

    server was damaged [...] a backup of the entire RAID
    what exactly is damaged (hardware or software - which part) and what's in the backup (entire C: volume or ...)? Was the SQL database local?

    Endpoint information is in the database, it might be possible to attach the database files on the new server. If SEC's registry is available the endpoints can again be managed without reprotecting them. Roughly the sequence would be: OS install, registry import, SEC database component install, replacement of (detach newly created and attach old) database files, other SEC components install. Same SEC version of course (which one and which endpoint features - Patch, Encryption - did you use?).

    As you've asked about importing computer names - are you interested in just restoring the computers and groups, also policies, or the events and alerts as well?

    Christian

  • I am interested in restoring everything. Because this was the only one server dedicated to this kind of tasks. I would like to restore every client whitout the need of reprotecting them. There are several offices, and +1100 endpoints

    The server was damaged and we installed the OS again. We have made a backup and we have the data, so, what we need to do is to restore that data on the new console, which is the same version.

    Only the operating system damage

    The SEC is version 5.2.2, and the operating system Windows Server 2008 R2 Enterprise
  • Hello richar gabrielalvarez gonzalez,

    if I understand you correctly you have a backup of the volume(s) but did not perform a backup of the Sophos data using DataBackupRestore, correct?

    without the need of reprotecting [the endpoints]
    you'd need the SOFTWARE registry hive from C:\Windows\System32\config\ or the one from C:\Windows\System32\config\RegBack\ to re-establish the old server's identity. Follow the Migration Guide, instead of restoring the database you'd have to attach the database files from the backup.

    Christian

  • Hi Cristian, can once again the Sophos database and Retrieve all endpoints, policies and grupos.Pero I have a new problem, my principal sum and the children do not update SUM`s
    Segui whole process of the migration guide, import the database, registration, etc.

    Why can not I ?, Update Sum`s
    I own the license has not expired yet.
  • Hello richar gabrielalvarez gonzalez,

    so you have a more complex setup with additional SUMs?
    Anyway, the do not update can have many reasons (on the child SUMs this might simply be a consecutive fault). What errors do you see in the main SUMs details view (Gestores de actualización -> ver gestor de actualización) and in the SUM logs?


    Christian

  • Hello Christian, apology for not responding quickly main Check The sum with the "View Update Manager", but found no problem there, which is strange since I can not download new updates. Sum`s then review the child back to "see Update Manager" and watch this:


    -Hello Christian, apology for not responding quickly main Check The sum with the "View Update Manager", but found no problem there, which is strange since I can not download new updates. Sum`s then review the child back to "see Update Manager" and watch this:


    -Failed Software update
    -Threat Updating data detection failed

    Then use "LogViever." To find the Log

    -The Decoding operation failed with an unexpected error. Details: Failed to read file content customer.

    It -Bug the synchronization operation on data protection. Details: Local Corrupted customer file.

    -The Distribution share failed with an unexpected error. Details: boost :: filesystem :: remove


    Then check the log of the principal sum and find this:

    SUMTracet.log


    2015-09-29 00:16:53 : Cmd-ALL << [I1021][ActionUpdateMetadata][DispatcherPrograms-2015-09-29T04-46-53-10] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2015-09-29T04-46-53-10' started...
    2015-09-29 00:16:53 : Cmd-ALL << [I1018][DispatcherPrograms-2015-09-29T04-46-53-10][2] Started dispatcher with ID 'DispatcherPrograms-2015-09-29T04-46-53-10'. It will run 2 events.
    2015-09-29 00:16:57 : <Info> WarehouseStatusOperation was successful.
    2015-09-29 00:16:57 : Cmd-ALL << [I000F][0][<signatures><contents>bad7a83a760e49daf1d250daafa35b2e:d25c19ea481d9c9b5fc5c9c29d258a00</contents><dictionary>b8b4504f6ed7afcfb72da3ccb838235c</dictionary><published_time>2015-08-12T10:19:08</published_time></signatures>][Endpoint Protection Advanced][] Successfully checked warehouse status.
    2015-09-29 00:16:57 : Cmd-ALL << [I0009][ActionUpdateMetadata][DispatcherPrograms-2015-09-29T04-46-53-10] Action 'ActionUpdateMetadata' with caller 'DispatcherPrograms-2015-09-29T04-46-53-10' succeeded!
    2015-09-29 00:16:57 : Cmd-ALL << [S0012][DispatcherPrograms-2015-09-29T04-46-53-10] Event with dispatcher ID 'DispatcherPrograms-2015-09-29T04-46-53-10' completed successfully.
    2015-09-29 00:16:57 : Cmd-ALL << [I1021][ActionUpdateLogViewerDictionaries][DispatcherPrograms-2015-09-29T04-46-53-10] Action 'ActionUpdateLogViewerDictionaries' with caller 'DispatcherPrograms-2015-09-29T04-46-53-10' started...
    2015-09-29 00:16:57 : Cmd-Sock-948 >> DeleteObject WHStatusAction-0
    2015-09-29 00:16:57 : Cmd-Sock-948 << [R4000] Could not find object named WHStatusAction-0

    2015-09-29 00:16:57 : Cmd-Sock-948 <<
    2015-09-29 00:16:57 : Cmd-Sock-948 >> DeleteObject WHStatusEvent-0
    2015-09-29 00:16:57 : Cmd-Sock-948 << [R4000] Could not find object named WHStatusEvent-0

    -SUMLog

    0 1 2 ActionSyncSupplements DispatcherSupplements-2015-09-28T04-33-02-86 1443414785 1610616865 0 1 2 ActionGatherCurrencyData-Sub0 DispatcherSupplements-2015-09-28T04-33-02-86 1443414785 1610616863 50 1 7 DispatcherSupplements-2015-09-28T04-33-02-86 SAVEEXP 10.3.15 VE3.60.0 3.60.0 5.19 578F62658476A1B486EE5915494C94AC 2015-09-22T13:10:52 1443414785 536870921 0 1 2 ActionGatherCurrencyData-Sub0 DispatcherSupplements-2015-09-28T04-33-02-86 1443414785 1610616865 0 1 2 ActionDecodeEverything-Sub0 DispatcherSupplements-2015-09-28T04-33-02-86 1443414786 536870938 50 0 4 C:\ProgramData\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A SAVSCFXP F26F7EC0-1302-4DA7-8B6B-A5383051D41A RECOMMENDED 1443414786 536870931 50 0 1 C:\ProgramData\Sophos\Update
  • Hello richar gabriel alvarez gonzalez,

    could you perhaps post a screenshot from the Gestores de actualización view? Don't worry that it's in Spanish. Are your child SUMs updating from the main SUM (HTTP or UNC)?

    boost::filesystem::remove
    please search the SUMTrace log for a line containing this text - the failing location should be mentioned on or near this line (ideally post a few lines here).  

    It's not yet clear what the actual issue is - your snippet from SUMTrace log stops right before the interesting part, the [R4000] lines don't indicate an error. Right after this part I'd expect:
    Cmd-ALL << [I0009][ActionUpdateLogViewerDictionaries] ...
    Cmd-ALL << [I1021][ActionSyncPrograms]
    <Info> Downloading remote customer file.
    and a while later
    <Info> Successfully downloaded remote customer file content from SOPHOS

    or some error instead of the <Info> line(s). Guess this part of the log would give at least some hint.

    While this might not solve your problem you could simply flush the downloaded data as outlined in this article (it's about a different issue) under What To Do. Note: you should stop the Update Manager service before deleting the contents, restart afterwards.

    Christian

  • Hello Christian SUM's all children are connected to SUM Principal, and the main SUM estac directly connected to Sophos. will attach screenshots: The Principal Sum is called ANTIVIRUSSOPHOS,  last 2 images are of the SUM children

     

    Here are the Log's Main SUM,
    3:49:05 -2015-09-28: Cmd-Sock-944 << [R4000] Could not create backup copy of file: boost :: filesystem :: remove

    9/28/2015 4:49:05: Cmd-Sock-944 >> DeleteObject WHStatusAction-0
    9/28/2015 4:49:05: Cmd-Sock-944 << [R4000] Could not find object named WHStatusAction-0

    9/28/2015 4:49:05: Cmd-Sock-944 <<
    9/28/2015 4:49:05: Cmd-Sock-944 >> DeleteObject WHStatusEvent-0
    9/28/2015 4:49:05: Cmd-Sock-944 << [R4000] Could not find object named WHStatusEvent-0

    9/28/2015 4:49:05: Cmd-Sock-944 <<
    9/28/2015 4:49:05: Cmd-Sock-944 >> saveconfig specialactions.xml specialactions
    9/28/2015 4:49:05: Cmd-Sock-944 << [r0000] Written 0 objects to file \ specialactions.xml.

    9/28/2015 4:49:05: Cmd-Sock-944 <<
    9/28/2015 4:49:05: Cmd-Sock-884 >> DeleteObject WHStatusAction-0
    9/28/2015 4:49:05: Cmd-Sock-884 << [R4000] Could not find object named WHStatusAction-0


    9/28/2015 4:49:05: Cmd-Sock-884 <<
    9/28/2015 4:49:05: Cmd-Sock-884 >> saveconfig specialactions.xml specialactions
    9/28/2015 4:49:05: Cmd-Sock-884 << [r0000] Written 0 objects to file \ specialactions.xml.

    9/28/2015 4:49:05: Cmd-Sock-884 <<
    9/28/2015 4:49:05: Cmd-Sock-944 >> DumpConfigXML default
    9/28/2015 4:49:05: Cmd-Sock-944 << [r0000] [<? Xml version = "1.0" encoding = "utf-8"> <Settings> <Action> <ID

  • Hello richar gabriel alvarez gonzalez,

    first of all, what is the updating schedule on your main server? The Windows date on the first screenshot is 01/10/2015 11:35 and Última comprobación is 30/09/2015 11:23, the difference is more than the maximum interval for datos de detección. Is the SUM service running? Anyway it says that it has successfully updated around this time so the main SUM seems to be ok.

    From the screenshots the issue seems to be that the child SUMs are not reporting to the management server. Switch to the Estaciones view, Detalles del ordenador and check Hora del último mensaje. for the child SUMs (also do the check for ANTIVIRUSSOPHOS to make sure its RMS is working correctly). If the dates are 14/09/2015 then please see Troubleshooting disconnected clients seen within the SEC Console.

    Christian

    BTW: the number of Ordenadores con alertas is quite high, once the SUM problem is solved you should take care of it

Reply
  • Hello richar gabriel alvarez gonzalez,

    first of all, what is the updating schedule on your main server? The Windows date on the first screenshot is 01/10/2015 11:35 and Última comprobación is 30/09/2015 11:23, the difference is more than the maximum interval for datos de detección. Is the SUM service running? Anyway it says that it has successfully updated around this time so the main SUM seems to be ok.

    From the screenshots the issue seems to be that the child SUMs are not reporting to the management server. Switch to the Estaciones view, Detalles del ordenador and check Hora del último mensaje. for the child SUMs (also do the check for ANTIVIRUSSOPHOS to make sure its RMS is working correctly). If the dates are 14/09/2015 then please see Troubleshooting disconnected clients seen within the SEC Console.

    Christian

    BTW: the number of Ordenadores con alertas is quite high, once the SUM problem is solved you should take care of it

Children
No Data