Wednesday, August 19, 2015

Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

1 comment:

  1. very helpful... a big "like" from brazil.. thank you..