Sunday, June 22, 2014

Varonis Troubleshooting: RPC Failures

In Varonis DatAdvantage the Probe and monitored Windows file server communicate using the RPC services.  When events are not being collected or the Probe cannot reach the Windows server one place that you look to troubleshoot the problem is the Windows event log on the Probe.

If we receive the error message that the RPC server is unavailable, how go we go about discovering the root cause of the problem?  PORTQRY is a tool from Microsoft that allows you to test connectivity from one server to another.  To test connectivity to a monitored server, go to the Probe or Collector that is attempting to collect events or run the file walk and failing.  Run the following command:

portqry –n ServerName –p TCP –e 4972

The command should be able to:

1)    Resolve the host name
2)    Connect to the port 4972 (which Varonis uses to connect to the service)
3)    See that the port is in Listening state.

If the response is Filtered than there is a firewall or some other service blocking the connection.  If the response is Not Listening than the Varonis Filer Logger is not running or has errors.  At that point, go to the server and check the status of the service.