Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 6712 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with STAS

BobG

Not sure were to post STAS issues.

We have a 600 workstation network and using Sophos UTM 9.5 HA.  Wanting to be able to setup Web Filter exceptions for certain user who roam. 

We have three MS 2K8 AD DC:  DC1, DC2 and DC3.  Did a STAS Agent/Collector install on DC3 for testing.   Gather user logon/off events which flowed into UTM Client Authentication's 'Live Users' list.      After initial testing, installed STAS Agents on DC1 and DC2 and point to Collector on DC3.

 

(1) Notice that user events stopping after 20 to 30 minutes on DC3 Collector.

DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got security event: ID: 4634 <-> Type: 8
DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got security event: ID: 4776 <-> Type: 8
DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got security event: ID: 4776 <-> Type: 8
DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got security event: ID: 4776 <-> Type: 8
DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got security event: ID: 4768 <-> Type: 8
DEBUG    [0x1a10] 9/27/2017 13:23:26 : dca_eventlog: got Kerberos authentication event
MSG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_kerberos: UserName: SophosUpdateMgr
MSG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_kerberos: DomainName: ABC.com
MSG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_kerberos: IPv6 WorkstationIP: :
MSG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_kerberos: IPv4 WorkstationIP: 192.168.1.15
DEBUG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_common: Event ID: 4768
DEBUG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_common: EventType: AuditSuccess
DEBUG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_common: CreateTime: 1506533005
DEBUG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_common: ExpireTime: 1506533605
DEBUG    [0x1a10] 9/27/2017 13:23:26 : init_userinfo_common: LogonType: 2
DEBUG    [0x1a10] 9/27/2017 13:23:26 : threadpool_run: Submitting Function 0x40a7f0
DEBUG    [0x1a10] 9/27/2017 13:23:26 : threadpool_run: adding function at tail
DEBUG    [0x1a10] 9/27/2017 13:23:26 : list_add_tail: first element added
DEBUG    [0x1a10] 9/27/2017 13:23:26 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:31 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:36 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:41 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:46 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:51 : threadpool_run: couldn't get free thread
DEBUG    [0x1a10] 9/27/2017 13:23:56 : threadpool_run: couldn't get free thread

In 'stas.cfg, increase Collector thread from 64 to 256.  Now collected user events for about 4 to 6 hours before getting 'couldn't get free thread' message again.
Narrowed down problem being the Collector and not Agent by install STAS Collector on on a W2012 management server and config the three DC agents to point to it.

This solution has been very stable. STAS Agent have been forwarding logon/off events for two weeks now.

 

(2) In STAS.log, getting the 'dcaserver_extract_data: Invalid wrkst_name_off:' and 'Invalid group_off:'  error messages:

Could not find the STAS Administrator manual, only the STAS Installation Quick Guide which does not help.

This is from my STAS Collector log on management server

---------------------------------------------------------------------

ERROR    [0xad4] 10/13/2017 07:37:37 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:37:39 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:37:39 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:37:39 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:37:39 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:37:43 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:37:43 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:37:45 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:37:45 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xabc] 10/13/2017 07:37:45 : USERINFO WAITING INFINITE
MSG    [0xabc] 10/13/2017 07:37:45 : SSOclient_thread: got userinfo: USER: ABC.com\ALub <-> Flags: 5
ERROR    [0xabc] 10/13/2017 07:37:45 : SSOclient_update_CR: domain name is there with length 10 , ABC.com
ERROR    [0xabc] 10/13/2017 07:37:45 : USERNAME ALub Length 5
ERROR    [0xabc] 10/13/2017 07:37:45 : WORKSTN IP 192.168.1.15 Length 15
ERROR    [0xabc] 10/13/2017 07:37:45 : DOMAIN ABC.com Length 11
ERROR    [0xabc] 10/13/2017 07:37:45 : SSOclient : PACKET SIZE 237 ㌲7
MSG    [0xabc] 10/13/2017 07:37:45 : SSOclient_thread: Logon/Logout Update sent to: 172.16.1.1:0
ERROR    [0xabc] 10/13/2017 07:37:45 : GETTING (USERINFO) FROM QUEUE
MSG    [0xac0] 10/13/2017 07:37:45 : SSO_client_update_heartbeat: cr_node:172.16.1.1 is_active:2
ERROR    [0xad0] 10/13/2017 07:37:46 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad0] 10/13/2017 07:37:46 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:37:47 : dcaserver_extract_data: Invalid group_off:-1

.

ERROR    [0xad4] 10/13/2017 07:38:13 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:38:15 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:38:15 : dcaserver_extract_data: Invalid wrkst_name_off: -1
MSG    [0xac0] 10/13/2017 07:38:15 : SSO_client_update_heartbeat: cr_node:172.16.1.1 is_active:2
ERROR    [0xad4] 10/13/2017 07:38:17 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:38:17 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:38:17 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:38:17 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:38:19 : dcaserver_extract_data: Invalid group_off:-1

.

ERROR    [0xad0] 10/13/2017 07:39:18 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:39:19 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:39:19 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xabc] 10/13/2017 07:39:19 : USERINFO WAITING INFINITE
MSG    [0xabc] 10/13/2017 07:39:19 : SSOclient_thread: got userinfo: USER: ABC.com\JWago <-> Flags: 5
ERROR    [0xabc] 10/13/2017 07:39:19 : SSOclient_update_CR: domain name is there with length 10 , ABC.com
ERROR    [0xabc] 10/13/2017 07:39:19 : USERNAME JWago Length 7
ERROR    [0xabc] 10/13/2017 07:39:19 : WORKSTN IP 192.168.1.38 Length 15
ERROR    [0xabc] 10/13/2017 07:39:19 : DOMAIN  ABC.com Length 11
ERROR    [0xabc] 10/13/2017 07:39:19 : SSOclient : PACKET SIZE 249 㐲9
MSG    [0xabc] 10/13/2017 07:39:19 : SSOclient_thread: Logon/Logout Update sent to: 172.16.1.1:0
ERROR    [0xabc] 10/13/2017 07:39:19 : GETTING (USERINFO) FROM QUEUE
ERROR    [0xad8] 10/13/2017 07:39:19 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad8] 10/13/2017 07:39:19 : dcaserver_extract_data: Invalid wrkst_name_off: -1

.

RROR    [0xad0] 10/13/2017 07:39:28 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad0] 10/13/2017 07:39:28 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xabc] 10/13/2017 07:39:28 : USERINFO WAITING INFINITE
MSG    [0xabc] 10/13/2017 07:39:28 : SSOclient_thread: got userinfo: USER:  ABC.com\RWitte <-> Flags: 5
ERROR    [0xad0] 10/13/2017 07:39:28 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xabc] 10/13/2017 07:39:28 : SSOclient_update_CR: domain name is there with length 10 ,  ABC.com
ERROR    [0xad0] 10/13/2017 07:39:28 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xabc] 10/13/2017 07:39:28 : USERNAME RWitte Length 11
ERROR    [0xabc] 10/13/2017 07:39:28 : WORKSTN IP 172.16.6.172 Length 13
ERROR    [0xabc] 10/13/2017 07:39:28 : DOMAIN  ABC.com Length 11
ERROR    [0xabc] 10/13/2017 07:39:28 : SSOclient : PACKET SIZE 261 㘲1
MSG    [0xabc] 10/13/2017 07:39:28 : SSOclient_thread: Logon/Logout Update sent to: 172.16.1.1:0
ERROR    [0xabc] 10/13/2017 07:39:28 : GETTING (USERINFO) FROM QUEUE
ERROR    [0xad0] 10/13/2017 07:39:30 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad0] 10/13/2017 07:39:30 : dcaserver_extract_data: Invalid wrkst_name_off: -1

.

ERROR    [0xad4] 10/13/2017 07:40:17 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:40:17 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:40:17 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:40:17 : dcaserver_extract_data: Invalid wrkst_name_off: -1
MSG    [0xad4] 10/13/2017 07:40:17 : wrkstpoll_handle_logoff_req: Request received from Logoff Detector
ERROR    [0xad4] 10/13/2017 07:40:17 : userbd_delete_userinfo: trying to delete user
ERROR    [0xad4] 10/13/2017 07:40:17 : userdb_delete_userinfo: UserInfo deleted successfully
MSG    [0xad4] 10/13/2017 07:40:17 : wrkstpoll_handle_logoff_req: user 'ABC.com\SHetz' removed
ERROR    [0xabc] 10/13/2017 07:40:17 : USERINFO WAITING INFINITE
MSG    [0xabc] 10/13/2017 07:40:17 : SSOclient_thread: got userinfo: USER: ABC.com\SHetz <-> Flags: 4

ERROR    [0xabc] 10/13/2017 07:40:17 : SSOclient_update_CR: domain name is there with length 10 , ABC.com
ERROR    [0xabc] 10/13/2017 07:40:17 : USERNAME SHetz Length 8
ERROR    [0xabc] 10/13/2017 07:40:17 : WORKSTN IP 172.16.1.210 Length 13
ERROR    [0xabc] 10/13/2017 07:40:17 : DOMAIN  ABC.com Length 11
ERROR    [0xabc] 10/13/2017 07:40:17 : SSOclient : PACKET SIZE 243 㐲3
MSG    [0xabc] 10/13/2017 07:40:17 : SSOclient_thread: Logon/Logout Update sent to: 172.16.1.1:0
ERROR    [0xabc] 10/13/2017 07:40:17 : GETTING (USERINFO) FROM QUEUE
ERROR    [0xabc] 10/13/2017 07:40:17 : USERINFO WAITING INFINITE
MSG    [0xabc] 10/13/2017 07:40:17 : SSOclient_thread: got userinfo: USER: ABC.com\VOffice <-> Flags: 5
ERROR    [0xabc] 10/13/2017 07:40:17 : SSOclient_update_CR: domain name is there with length 10 ,  ABC.com
ERROR    [0xabc] 10/13/2017 07:40:17 : USERNAME VOffice Length 10
ERROR    [0xabc] 10/13/2017 07:40:17 : WORKSTN IP 172.16.1.210 Length 13
ERROR    [0xabc] 10/13/2017 07:40:17 : DOMAIN  ABC.com Length 11
ERROR    [0xabc] 10/13/2017 07:40:17 : SSOclient : PACKET SIZE 255 㔲5
MSG    [0xabc] 10/13/2017 07:40:17 : SSOclient_thread: Logon/Logout Update sent to: 172.16.1.1:0
ERROR    [0xabc] 10/13/2017 07:40:17 : GETTING (USERINFO) FROM QUEUE
ERROR    [0xad4] 10/13/2017 07:40:23 : dcaserver_extract_data: Invalid group_off:-1
ERROR    [0xad4] 10/13/2017 07:40:23 : dcaserver_extract_data: Invalid wrkst_name_off: -1
ERROR    [0xad4] 10/13/2017 07:40:23 : dcaserver_extract_data: Invalid group_off:-1

- Turned off Collector's '[ ] Enable Logoff Detection' switch.  

- Still getting the 'dcaserver_extract_data: Invalid wrkst_name_off:' and 'dcaserver_extract_data: Invalid group_off:'  error messages in stas.log

 

(3) Any ideas?

Thanks Bob G.



This thread was automatically locked due to age.
Parents
  • 0

    "Wanting to be able to setup Web Filter exceptions for certain user who roam. "

    Bob, why not simply use AD-SSO with Web Filtering?  See Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too..

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob for reply,

    I reviewed your link.

    I had our UTM config for SSO to AD.  Just looked and it was no longer joined to AD.  Got an error msg when trying to rejoined.  The UTM object had still existed in AD.  Deleted it and was able to use UTM to join again. 

    Testing with a Web Filter profile to just my IP.  Can see auth in Web log.

    I have to go but have a few more questions.

    Bob G.

Reply
  • 0 in reply to BAlfson

    Thanks Bob for reply,

    I reviewed your link.

    I had our UTM config for SSO to AD.  Just looked and it was no longer joined to AD.  Got an error msg when trying to rejoined.  The UTM object had still existed in AD.  Deleted it and was able to use UTM to join again. 

    Testing with a Web Filter profile to just my IP.  Can see auth in Web log.

    I have to go but have a few more questions.

    Bob G.

Children
No Data
Unfiltered HTML