Kaseya Community

Agent Procedures & Emails

  • Hi,

    Wonder if anyone can assist me with the following. I have an agent procedure that checks a server for it's Symantec EP antivirus definitions and then sends an email to me and writes it to the procedure log.

    The procedure is working brilliantly except for 2 little problems;

    1. I have to run 2 separate procedures - 1 procedure for Windows Server 2008 and 1 procedure for Windows Server 2003 as the file is located in different locations.

    2. I get a separate email for each server that the procedure runs on.

    My question is as follows;
    Is it possible to combine the 2 procedures into one and tell it to choose where to look for the specified file depending on the OS version and to then send 1 email with all the information?

    Any assistance would be greatly appreciated.
    Thank you in advance.

    MW

  • Yes.  For every line in the procedure you have the option to tell it which OS to run on.  So you can combine the two procedures and specify which OS to run each check on.

    -Max

  • Michael,

    would you be willing to post your script for checking the SEP server AV def's?

    I'm currently using the event logs to monitor SEP and have found from Symantec a list of logs and what they stand for  

    service1.symantec.com/.../2008080711443448

  • Here is what I have found from the same Symantec list Danrche posted that is of use for both Norton and Symantec AV products;

     

     

    Event ID Type Source Category Description
    SAV-Corporate Edition
    2 Information *AntiVirus*  *Scan Complete:  Threats: *   Scanned: *
    Norton/Symantec AV virus definition update failed
    4 Information *AntiVirus* *Update to computer * of virus definition file * failed*
    4 Error *AntiVirus* *Update to computer * of virus definition file * failed*
    Norton/Symantec AV - Threat Detected
    5 Error *AntiVirus* * *Virus Found!Virus name:*
    5 Error *AntiVirus* *Threat Found*
    Symantec AV - Risk Detected
    46 Error *AntiVirus* *Security Risk Found*
    Norton/Symantec AV - New virus definition file loaded
    7 Information *AntiVirus* *New virus definition file loaded*

    I have also found that the virus definition version number loaded is recorded in the registry however it does not make any sense, meaning there is no way to match the definition with a date to find out if it is out of date or not. Another alternative which unfortunately only works for Windows XP, Vista and 7 systems (requires Security Center) is this script that I posted;

    Scripts - Antivirus Update Status Check (Audit)

     

     

     

     



    [edited by: HardKnoX at 8:29 PM (GMT -7) on 10-14-2010] typo
  • I'm no pro with SEP but I did see errors in the log for when the deff's are out of date, is this not a good way to monitor deff updates? I really don't care what version they're on, just that they've been out of date for longer then 2 days.

  • Hi,

    It is 22H10 by my clock so please excuse any typos. I can't take the credit for the original procedure, found it while browsing the web and modified it as required to work on Windows Server 2008. I will post the procedure @ work tomorrow since I see there is no easy "Copy & Paste" functionality for procedures.

    @Max Pruger - Thanks for the suggestion, I will give it a bash tomorrow and see if it works, will post my outcome.

    @Anyone else :) - Any thoughts on how to get a single email to be sent with all the servers and required definition information.

    Thanks

    MW

  • @MW

    You would want to execute scripts when certain monitored events occur and log them in the Agent Procedure/Script logs. This means you will need to break up your Monitoring sets into smaller components and create a script that logs an entry that explains why it has occurred. That way you can generate a report on all of the computers rather than receive an email per computer that you have to compile after the fact. Doing it this way also allows you to report on positive/successful events such as “AV has been update” without triggering an alert which causes incorrect Executive Summary Report lowering your total Network Health score.

    These Agent Procedure/Script logs don’t look very flash hopefully this will improve with the promised customized reporting I have heard so much about from Kaseya.

    @danrche

    Yes the Event ID’s 7 and 16. The problem is the Definition ID is not time stamped in the registry or the event logs so the new update could be an update from 2 weeks ago if you are using a server to download the updates for the network and the client was not powered on for a month. For me it is sort of a not enough information problem.

    I guess all that can be done about it is to run a script to create a time stamp when the related Event ID occurs and then you create an audit script to match the audit run time against the time stamp. (e.g.: if older than x days AV definition is out of date).

    now I just need the time to script and test all of this :(