Author Topic: CESM 3.0 RC Early Reports/Comments/Opinions  (Read 13885 times)

Offline lepota

  • Newbie
  • *
  • Posts: 13
Re: CESM 3.0 RC Early Reports/Comments/Opinions
« Reply #15 on: March 04, 2013, 10:49:07 AM »

I have discovered what is the data agents are sending to servers - firewall logs!
That is what I found it cesmAgn.log (RC2 agent, in final release agent logs nothing) on client that sent earlier 28MB and now, a week later, sends 31 MB:

*** CESM AGENT *** [18:59:05:046] [SYSTEM] [ActionExecutorDiscovery.cpp:30] [THREAD 0x00000334] class CRM::ModCIS::CPluginCIS::CDiscovererGetFirewallLog
*** CESM AGENT *** [18:59:05:046] [SYSTEM] [Router.cpp:297] [THREAD 0x00000288] Sent successfully
*** CESM AGENT *** [18:59:09:546] [SYSTEM] [ActionExecutorDiscovery.cpp:47] [THREAD 0x00000334] CActionExecutorDiscovery: Write output part.
*** CESM AGENT *** [18:59:09:593] [SYSTEM] [Router.cpp:294] [THREAD 0x00000288] Sending 31976444 bytes...

cislogs.sdb on this computer about 12MB, but firewall log saved in HTML from CIS is about 33MB
Similarly on other computers - they send approximately triple size of CIS logging database.
And do it every hour!
With default CIS setting of logfile size up to 200MB, agents can DDoS server with up to 600MB packets.
This is the case with two computers that did not sent big packets to server - log files there are bigger than 100MB and agent cannot prepare log for sending due to lack of resources. Uses of this computers complained lately, that system works very slow...

In the final release of CESM nothing changed (except of agent logging).

And what is the reason of sending logs every hour? I think that server should request logs only when requested from CESM console to build report, and only for specified period of time, dividing big period reports into smaller requests to avoid such load on clients and server.

BTW, agent also collectes and sends antivirus and defence+ logs, but in my case they are very small.

Now I limited CIS (and CES being deployed) logfile size to 5MB.
I recommend to do this to all until this bug will be fixed.
« Last Edit: March 04, 2013, 05:43:06 PM by lepota »

Offline Denmihalich

  • Newbie
  • *
  • Posts: 17
Re: CESM 3.0 RC Early Reports/Comments/Opinions
« Reply #16 on: March 05, 2013, 05:49:06 AM »
Hello, lepota!

First of all, thank you for great job of investing this logging issue! This is a known problem but your report from real system gives us a lot of valuable information.

Few additional questions arose while reading your comments:

What are the hardware configurations of those problematic endpoints?

Which mode CIS Firewall was in on those endpoints?

Please, keep in touch and we will solve this problem together.
« Last Edit: March 05, 2013, 08:00:22 AM by Denmihalich »

Offline lepota

  • Newbie
  • *
  • Posts: 13
Re: CESM 3.0 RC Early Reports/Comments/Opinions
« Reply #17 on: March 05, 2013, 07:35:56 AM »
Hello Denis!
Hardware configuration varies from Celeron 2.5 GHz single core with 1GB of memory to Core I5 4 cores 4GB. WinXP 32 Prof SP3 on all computers and CESM server. Firewall is in custom mode, blocking everything that not allowed explicitly. But in whatever mode CIS logfile eventually will grew in size and problems arouse. All computers sends packets corresponding to CIS logfile size which different on each computer (CIS was deployed about 2 years ago, so 200 MB limit was exceeded more then ones). Two computers that did not managed to process and send 100MB+ CIS logfiles and Celerons 2.5 & 3GHz with 1 and 2GB memory. But it occurred that there were largest logfiles in our network.
I emphasize that CESM server requests logs (or agent sends it on its own decision?) when CESM console even not started. Look at my previous post here...
I did not knew what the data was sent from agent then.


Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek