Monday, September 1, 2014

Identify Servers with Duplicate SIDs in Varonis

One of the challenges in managing a multitude of Windows servers is that Microsoft allows more than one server to has the same SID within a domain.  This usually results because people clone an existing server and then change the name.  Varonis DatAdvantage uses the SID as a unique identifier for the server in some portions on its system.  The primary impact is in managing local groups.  So if we have two or more servers in DatAdvantage with the same SID, only one of them will correctly collect and report on the local security groups, such as the Administrators group.  We can identify these servers by running a SQL Server Query from the IDU server.  Here is the query.

use vrnsDomainDB;

select filer_hostname,filer_ipaddress,filerIdentity from filers where fileridentity in (select filerIdentity from filers Group By  filerIdentity having (COUNT(filerIdentity) > 1)) order by filerIdentity

Sunday, June 22, 2014

Varonis Troubleshooting: RPC Failures

In Varonis DatAdvantage the Probe and monitored Windows file server communicate using the RPC services.  When events are not being collected or the Probe cannot reach the Windows server one place that you look to troubleshoot the problem is the Windows event log on the Probe.

If we receive the error message that the RPC server is unavailable, how go we go about discovering the root cause of the problem?  PORTQRY is a tool from Microsoft that allows you to test connectivity from one server to another.  To test connectivity to a monitored server, go to the Probe or Collector that is attempting to collect events or run the file walk and failing.  Run the following command:

portqry –n ServerName –p TCP –e 4972

The command should be able to:

1)    Resolve the host name
2)    Connect to the port 4972 (which Varonis uses to connect to the service)
3)    See that the port is in Listening state.

If the response is Filtered than there is a firewall or some other service blocking the connection.  If the response is Not Listening than the Varonis Filer Logger is not running or has errors.  At that point, go to the server and check the status of the service.