This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

steps for setup child server

Hi,

We just setup Sophos Enterprise Console 4.5(replace symantec) The structure==> one primary server as parent server  updated from Sophos website. 4 Site servers as child server updated from parent server.

Anyone knows the detail steps to setup child server? Because after copy SUMInstallSet folder from parent server to child server, run setup.exe, configure this child server (source from parent, subscriptions as recommended, distribution as update to share \\child server\Sophosupdate). Got the error  'threat detection data update failed" and last updaed "never". What's wrong? Can anyone provide the detail steps with screen shot.

Thanks

:7641


This thread was automatically locked due to age.
  • Hello yh,

    it can take some time until a SUM has completely initialized/updated. From what you said you did it right.

    Do the child SUMs access the parent via UNC or http and how many subscriptions/products do you use? 

    Christian

    :7643
  • Hi,

    It sounds like most of the setup is working: If you ran setup to install the child SUM, shortly after it appeared in SEC, you configured it and the machine is compliant with the SUM policy (Configuration column shows as matches in SEC), all of the messaging system is functioning which is a large part of the system.

    I assume the configuration of the child is with regards to the "Sources" tab is:

    "\\ServerName\SophosUpdate"

    and at the child SUM machine, this same address resolves ok?  It doesn't need to be full qualified for example?

    On the child, is there anything in?

    \Documents and Settings\All Users\Application Data\Sophos\Update Manager\working\?

    or:

    \Programdata\Sophos\Update Manager\working\?

    I assume "Working" exists on the machine?

    Also does:

    \Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\

    or:

    \Programdata\Sophos\Update Manager\Update Manager\

    Contain a CIDs and Warehouse directory and are they populated?

    Other than that to get a feel for what has happened, looking in the log files is worth a glance.There are 2 types of logs:

    1. SUMLog[timestamp].log
    2. SUMTrace[timestamp].log

    as found in:

    \Documents and Settings\All Users\Application Data\Sophos\Update Manager\Logs\

    or

    \ProgramData\Sophos\Update Manager\Logs\

    In the SUM Program Files directory there is a logviewer.exe, this essentially reads in the "SUMLog" files and can apply a few filters on it and for more indepth analysis the "Trace" file can be looked at.

    As a third way of seeing what SUM is doing you can also connect to the SUM to see what's going on in real-time as per this post:

    This logs a similar amount as the trace log.

    Regards,

    Jak

    :7645
  • Thank you for your quickly reply. Child sv and Parent server are trust relation within same WAN and DNS.

    :7647
  • Thank you jak for your detail guide.

    I assume the configuration of the child is with regards to the "Sources" tab is:  \\childserver\SophosUpdate

    ==> this is default setting and can resoulve . Do we need fully qualified name?

    On the child, is there anything in?

    \Documents and Settings\All Users\Application Data\Sophos\Update Manager\working\?

    ==> yes, on the child server, under this folder , can find Decoded-SDDM and Decoded-Sub0 folder.

    Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\

    Contain a CIDs and Warehouse directory and they are populated

    Other than that to get a feel for what has happened, looking in the log files is worth a glance.There are 2 types of logs:

    1. SUMLog[timestamp].log
    2. SUMTrace[timestamp].log

    Caputed part of logs from SUMTrace[timestamp].log


    2011-01-11 16:18:48 : Cmd-Sock-1400 << 2011-01-11 16:19:16 : Package synchronisation started.
    2011-01-11 16:19:16 : Finished package synchronisation.
    2011-01-11 16:19:16 : Package synchronisation started.
    2011-01-11 16:19:16 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:18 : Package synchronisation started.
    2011-01-11 16:19:18 : Finished package synchronisation.
    2011-01-11 16:19:19 : Package synchronisation started.
    2011-01-11 16:19:19 : Finished package synchronisation.
    2011-01-11 16:19:19 : Package synchronisation started.
    2011-01-11 16:19:19 : Finished package synchronisation.
    2011-01-11 16:19:19 : Package synchronisation started.
    2011-01-11 16:19:19 : Finished package synchronisation.
    2011-01-11 16:19:19 : Package synchronisation started.
    2011-01-11 16:19:19 : Finished package synchronisation.
    ><Ordinal>0</Ordinal></UpdateSource></Config>] Dumped 28 objects.

    2011-01-11 16:19:38 : Cmd-Sock-1400 <<

    2011-01-11 16:19:38 : Cmd-Sock-1400 <<
    2011-01-11 16:19:45 : Tue Jan 11 16:19:45 2011 - No action
    2011-01-11 16:19:45 : Tue Jan 11 16:19:45 2011 - No action
    2011-01-11 16:19:45 : Tue Jan 11 16:19:45 2011 - No action
    2011-01-11 16:19:45 : Tue Jan 11 16:19:45 2011 - ACTION
    2011-01-11 16:19:45 : Cmd-ALL << [I1018][DispatcherSupplements-2011-01-11T08-19-45-11][1] Started dispatcher with ID 'DispatcherSupplements-2011-01-11T08-19-45-11'. It will run 1 events.
    2011-01-11 16:19:45 : Cmd-ALL << [I1021][ActionSyncSupplements][DispatcherSupplements-2011-01-11T08-19-45-11] Action 'ActionSyncSupplements' with caller 'DispatcherSupplements-2011-01-11T08-19-45-11' started...
    2011-01-11 16:19:51 : Package synchronisation started.
    2011-01-11 16:19:51 : Finished package synchronisation.
    2011-01-11 16:19:51 : Package synchronisation started.
    2011-01-11 16:19:51 : Finished package synchronisation.
    2011-01-11 16:19:51 : Package synchronisation started.
    2011-01-11 16:19:51 : Finished package synchronisation.
    2011-01-11 16:19:51 : Package synchronisation started.
    2011-01-11 16:19:51 : Finished package synchronisation.
    2011-01-11 16:19:52 : Package synchronisation started.
    2011-01-11 16:19:52 : Finished package synchronisation.
    2011-01-11 16:19:52 : Package synchronisation started.
    2011-01-11 16:19:52 : Finished package synchronisation.
    2011-01-11 16:19:52 : Package synchronisation started.
    2011-01-11 16:19:52 : Finished package synchronisation.
    2011-01-11 16:19:52 : Cmd-ALL << [I0017][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][RECOMMENDED][\\SOPHOSESC\SophosUpdate\Warehouse] Successfully synchronized supplements for payload A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1 with version RECOMMENDED from source \\parentserver\SophosUpdate\Warehouse. No new data files were downloaded.
    2011-01-11 16:19:52 : Cmd-ALL << [I0017][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED][\\SOPHOSESC\SophosUpdate\Warehouse] Successfully synchronized supplements for payload F26F7EC0-1302-4DA7-8B6B-A5383051D41A with version RECOMMENDED from source \\parentserver\SophosUpdate\Warehouse. No new data files were downloaded.
    2011-01-11 16:19:52 : Cmd-ALL << [I0017][7D48A012-0C64-4F21-BA27-A9CEDF442749][0.0.0][\\SOPHOSESC\SophosUpdate\Warehouse] Successfully synchronized supplements for payload 7D48A012-0C64-4F21-BA27-A9CEDF442749 with version 0.0.0 from source \\parentserver\SophosUpdate\Warehouse. No new data files were downloaded.=

    2011-01-11 16:20:11 : Cmd-Sock-1400 <<
    2011-01-11 16:20:45 : Tue Jan 11 16:20:45 2011 - No action
    2011-01-11 16:20:45 : Tue Jan 11 16:20:45 2011 - No action
    2011-01-11 16:20:45 : Tue Jan 11 16:20:45 2011 - No action

    Anyway, any link for the steps. I can reinstall child server if still can not solve the error. Any recommend.

    Thank you very much for your kind help.

    :7649
  • Hi, Jak

    From child server/Sophos Endpoint Security and Control consol/Updating/View Updating Log, I can find that update successfully from primary server. See attached log. But, from parent server/Sophos Enterprise Console/Update Managers/ ,

    The errors tab shows "threat detection data update failed" and tab last updated " Never"  since last week (still maked last week date).

    Can guess that child server can updated from parent server, but parent server didn't update log from child server. How to clear log for this child server ?

    Please advice asap. Need implement urgent! Thanks....

    Time: 1/11/2011 17:20:20
    Message: AutoUpdate finished
    Module: ALUpdate
    Process ID: 6876
    Thread ID: 6236

    Time: 1/11/2011 17:20:19
    Message: Installation of Sophos AutoUpdate skipped
    Module: ALUpdate
    Process ID: 6876
    Thread ID: 6236

    Time: 1/11/2011 17:20:19
    Message: Installation of SAVXP skipped
    Module: ALUpdate
    Process ID: 6876
    Thread ID: 6236

    Time: 1/11/2011 17:20:19
    Message: Installation of RMSNT skipped
    Module: ALUpdate
    Process ID: 6876
    Thread ID: 6236

    Time: 1/11/2011 17:20:19
    Message: Downloading phase completed
    Module: ALUpdate
    Process ID: 6876
    Thread ID: 6236

    Time: 1/11/2011 17:20:18
    Message: Product cache update from primary server successfully finished
    Module: CIDUpdate
    Process ID: 6876
    Thread ID: 6236

    :7651
  • What error besides 80040404 do you see in View Update Manager details? The part you showed says that there were no new files which had to be downloaded by the child. I'd expect  Cmd-ALL << [I0018] The synchronisation of the supplements was successful. following it though as well as lines starting with  Generate a CID. If there aren't then "something" seems to be stuck. Before considering reinstall I'd restart the SUM service (or reboot the child SUM) and if this doesn't help stop the service, delete SUM_status.xml as well as the contents of the Working and Warehouse folders.

    Christian

    :7655
  • Hello yh,

    maybe I misunderstood you. SUM updates are one thing and SESC updates another. If you view Update Managers from SEC you have one line for each SUM known to SEC. Guess your parent server is SOPHOSESC - is this the one with the Never in the Last updated column?

    Christian

    :7659
  • Hi, QC

    Yes, SOPHOSESC is the parent server which never update the logs. How can i clear and check again?

    One more thing, today implemented one more child server. Used NoNav2.611.exe to remove Symantec Corporation.  SUM installed successfully. But when applied 'protection computer',  popup installation error 'Cancelled Sophos installation because existing third party security software could not be uninstalled'

    Actually, I removed all symantec sw even clear registry manually .

    In this child server, could not find any antivirus sw running. Any advice?

    Thank you very much

    :7713
  • Hello yh,

    the same procedure (deleting the mentioned files) can be used on the parent. It might also be the case that writing to the CID fails (usually you can find a hint in the logs but it's not easy to spot). Unless it's the indexing service "sitting" on the directory (in which case you either turn off the service or exclude the Update Manager directory from being indexed) deleting the CID often helps. If it doesn't then it's time for digging in the logs.

    Christian

    :7721
  • HI,

    I'm a bit lost and not quite sure what the current state is.  It sounds promising that the child SUMs directories are populated.

    I would check that looking in:

    \\childsum\sophosupdate\CIDs\S000\SAVSCFXP\savxp\

    that the last .ide file is recent.  If so, and this SUM is downloading exclusively from the parent SUM, the parent must be downloading and populating the warehouse directory:

    \Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\warehouse\

    It might be worth checking the parent SUMs CIDs:

    \\parentsum\sophosupdate\CIDs\S000\SAVSCFXP\savxp\

    to check the most recent .ide file is also current.

    If both of these turn out to be ok, then there isn't much wrong with the updating setup.

    I see there is then the logs of AutoUpdate, these show a successful check to a distribution point, I'm not sure what that has to do with SUM other than proving the distribution point that SUM has created that client is pointing to is ok?

    The link to the other page on the forum should help you get past the registry check as the file mentioned will contain the key that the CRT component is finding.

    Jak

    :7729