Wednesday, August 19, 2015

Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

Friday, August 14, 2015

DatAlert Alert Template for Syslog

Within Varonis DatAlert, the default Alert Template for syslog messages contains line feeds and carriage returns.  Most syslog parsers have a much easier time dealing with single line messages.  If you are going to send Varonis alerts to syslog you should create a template specifically for that.  Here is a sample that I work with.

Saturday, April 4, 2015

Correct Share Settings for Adding a Server in Varonis

When adding servers to Varonis, under the Shares tab select the highest level shares that Varonis has access to.  In addition, there is an option to Automatically detect shares.  This should be set to “Detect and Notify” and the “Notify” option should be set to once.  That way, whenever a share is added to a server an email will go out indicating that fact.  At that point, if it is a new volume or new top-level share, you can go back into the Management Console and add that volume.  Do not automatically monitor shares, as this may pick up devices such as CD drives or shares that should not be monitored, such as backup shares.

Friday, February 6, 2015

Removing Disabled Users from the Varonis Permissions Report

One of the most commonly used reports in Varonis DatAdvantage is the “4b - Effective Permissions for User or Group” report.  This is used to list all of the groups and users that have access to a particular folder.  One of the challenges that we faced at a particular customer was that the business people did not want to see the disabled users who had access to the folder.  There is a filter, “Disabled Accounts,” that lets you exclude them.  However, if you just add that filter it removes all of the groups that have access to the folder.  Thanks to Kevin Cyr for asking me if there is a way around this.  Indeed, there is!  Here is a screenshot that handles the problem, which is that the groups do not have the “Disabled Account” property in Active Directory so they are excluded by the standalone “Disabled Accounts” filter.

Monday, September 1, 2014

Identify Servers with Duplicate SIDs in Varonis

One of the challenges in managing a multitude of Windows servers is that Microsoft allows more than one server to has the same SID within a domain.  This usually results because people clone an existing server and then change the name.  Varonis DatAdvantage uses the SID as a unique identifier for the server in some portions on its system.  The primary impact is in managing local groups.  So if we have two or more servers in DatAdvantage with the same SID, only one of them will correctly collect and report on the local security groups, such as the Administrators group.  We can identify these servers by running a SQL Server Query from the IDU server.  Here is the query.

use vrnsDomainDB;

select filer_hostname,filer_ipaddress,filerIdentity from filers where fileridentity in (select filerIdentity from filers Group By  filerIdentity having (COUNT(filerIdentity) > 1)) order by filerIdentity

Sunday, June 22, 2014

Varonis Troubleshooting: RPC Failures

In Varonis DatAdvantage the Probe and monitored Windows file server communicate using the RPC services.  When events are not being collected or the Probe cannot reach the Windows server one place that you look to troubleshoot the problem is the Windows event log on the Probe.

If we receive the error message that the RPC server is unavailable, how go we go about discovering the root cause of the problem?  PORTQRY is a tool from Microsoft that allows you to test connectivity from one server to another.  To test connectivity to a monitored server, go to the Probe or Collector that is attempting to collect events or run the file walk and failing.  Run the following command:

portqry –n ServerName –p TCP –e 4972

The command should be able to:

1)    Resolve the host name
2)    Connect to the port 4972 (which Varonis uses to connect to the service)
3)    See that the port is in Listening state.

If the response is Filtered than there is a firewall or some other service blocking the connection.  If the response is Not Listening than the Varonis Filer Logger is not running or has errors.  At that point, go to the server and check the status of the service. 

Tuesday, October 8, 2013

Using Varonis to find misconfigured Exchange mailboxes

One of the wonderful features of Varonis DatAdvantage is the 3d-Users and Groups List report.  On the surface it is just a list of all of the users and groups in the domain, but with the creative use of filters and the Extended Properties, you can answer a lot of useful questions.

For example, during the migration of mailboxes from Exchange 2003 to Exchange 2010, there are mailboxes where certain attributes may not be updated correctly and will become obvious once the old Exchange server is shut down  One of these is the user's homeMTA.  If you look at the field it will be something like this.

CN=Microsoft MTA\0ADEL:097a9a78-54ae-4d27-a101-5daf2d0a30b5,CN=Deleted Objects,CN=Configuration,DC=Company,DC=com

As you can see, the MTA is listed as being deleted and needs to be corrected.  One way to identify these in Varonis is to used the 3d report.

First we have to add homeMTA to the Extended Properties.  As the Active Directory attributes are typically pulled once a night, we need to run the AD Walk and then the Pull AD jobs manually.

Then we can move on to reporting in 3d and develop a query like this:

The key component is to look for the "DEL" phrase in the homeMTA field.

Run this report and now you have a list of mailboxes to fix.

Once again, the 3d-report can be your best friend.