Security scan hitting webport, showing in errorlog, breaking reporting

[opeth]

I am using Operations Center, and have a large majority of nodes showing "at risk" due to getting "warning" flags. Looking at the logs, I see the issue. We have a scurity scan hitting the web port and its getting logged in the errorlog, tripping off a warning in ops center for the nodes.

Is there an option in the opt file to disable diag logging in the error log? A way to tell it to ignore ANS0361I errors? Maybe a way to filter them out in Operations Center?
Example of the log. This is what happens during the scan. Turning off scanning is not an option:

08/23/2016 11:37:57 ANS0361I DIAG: isFileNameValid: Invalid file name Home.do - file type not allowed.
08/23/2016 11:37:57 ANS0361I DIAG: Error opening input file en/main.js
08/23/2016 11:37:57 ANS0361I DIAG: isFileNameValid: Invalid file name mgmt/login?dest=%2Fmgmt%2Fgui%3Fp%3Dhome&reason=&username= - file type required.
08/23/2016 11:37:57 ANS0361I DIAG: isFileNameValid: Invalid file name dms2/Login.jsp - file type not allowed.
08/23/2016 11:37:58 ANS0361I DIAG: Error opening input file robots.txt
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: Invalid file name login - file type required.
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: Invalid file name sitemap.xml - file type not allowed.
08/23/2016 11:37:58 ANS0361I DIAG: Error opening input file home.htm
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: Invalid file name .cobalt - file type not allowed.
08/23/2016 11:37:58 ANS0361I DIAG: Error opening input file sws/data/sws_data.js
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: Invalid file name admin.back - file type not allowed.
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: Invalid file name wcd/system.xml - file type not allowed.
08/23/2016 11:37:58 ANS0361I DIAG: isFileNameValid: No file name specified.
08/23/2016 11:37:58 ANS0361I DIAG: Error opening input file js/Device.js

 

[marclant]

I am using Operations Center, and have a large majority of nodes showing "at risk" due to getting "warning" flags. Looking at the logs, I see the issue. We have a scurity scan hitting the web port and its getting logged in the errorlog, tripping off a warning in ops center for the nodes.

To be "At Risk", the node has to miss or fail a backup for longer than the "At Risk" threshold. Are the backups for these nodes also missed or failed? If so, that's why they are at risk. Check the dsmsched.log for these nodes to see if the last scheduled backup was successful.

Is there an option in the opt file to disable diag logging in the error log? A way to tell it to ignore ANS0361I errors?

No. Also, it's not an error (doesn't end with E), it's an informational message, so should not cause the backup to fail, therefore, it's not what would make it as risk.

 

[opeth]

Perhaps I have something misconfigured, but WARNING flagged nodes ARE showing in "at risk" metrics.

 

[opeth]

The backups complete, then a scan happens outside the backup window and i get a bunch of return code 8 warnings and the server is set at risk in OC.

 

[marclant]

Perhaps I have something misconfigured, but WARNING flagged nodes ARE showing in "at risk" metrics.

Check the status of their last backup, they likely failed or finished with a warning, that's why they are at risk.

And a warning causing the backup to not be successful will make it at risk. A warning outside the backup (restore, queries, etc., ) would not make it at risk, only a failed or missed backup would.

 

[opeth]

They are absoloutly finishing succesfully without a doubt.

 

[opeth]

08/24/2016 00:48:50 --- SCHEDULEREC STATUS BEGIN
08/24/2016 00:48:50 Total number of objects inspected: 141,756
08/24/2016 00:48:50 Total number of objects assigned: 116,750
08/24/2016 00:48:50 Total number of objects backed up: 839
08/24/2016 00:48:50 Total number of objects updated: 0
08/24/2016 00:48:50 Total number of objects rebound: 0
08/24/2016 00:48:50 Total number of objects deleted: 0
08/24/2016 00:48:50 Total number of objects expired: 5
08/24/2016 00:48:50 Total number of objects failed: 0
08/24/2016 00:48:50 Total number of subfile objects: 0
08/24/2016 00:48:50 Total number of bytes inspected: 61.64 GB
08/24/2016 00:48:50 Total number of bytes transferred: 1.19 GB
08/24/2016 00:48:50 Data transfer time: 3,111.95 sec
08/24/2016 00:48:50 Network data transfer rate: 401.09 KB/sec
08/24/2016 00:48:50 Aggregate data transfer rate: 699.85 KB/sec
08/24/2016 00:48:50 Objects compressed by: 0%
08/24/2016 00:48:50 Total data reduction ratio: 98.07%
08/24/2016 00:48:50 Subfile objects reduced by: 0%
08/24/2016 00:48:50 Elapsed processing time: 00:29:43
08/24/2016 00:48:50 --- SCHEDULEREC STATUS END
08/24/2016 00:48:51 --- SCHEDULEREC OBJECT END INTEL_0015 08/24/2016 00:15:00
08/24/2016 00:48:51 Scheduled event 'INTEL_0015' completed successfully.
08/24/2016 00:48:51 Sending results for scheduled event 'INTEL_0015'.
08/24/2016 00:48:51 Results sent to server for scheduled event 'INTEL_0015'.


Yet Operations center says:

 

[opeth]

See this screenshot. I have the list sorted by "at risk, notice the top says 40% of 851 systems are "at risk", yet only a handful are in the "missed" status.

 

[marclant]

How long is your "At risk" value? Is it less than a day?

Can you check if that client sends error messages to the TSM Server:
q ac begind=-2 node={nodename}

Is it possible that there is more than one schedule associated with that node?

 

[opeth]

It does send messages to the TSM server, and they look successfull from the server side i do not see any warnings.

There is only one schedule.

At risk values are 1 day. I tried them at 2 to see if it would clear it up and it didnt.

 

[opeth]

 

[marclant]

Check to isolate warnings and errors only for that node:
q ac search=AN?????W node={nodename} begind=-2
q ac search=AN?????E node={nodename} begind=-2

 

[marclant]

At risk values are 1 day. I tried them at 2 to see if it would clear it up and it didnt.

It would not clear right away. There's a refresh interval, not sure what it is though.

 

[opeth]

Well, you were right- I didnt see these in the logs on the client for some reason.


2:30:51 PM TSMVMWARE : q ac search=AN?????W node=*** begind=-2
Date/Time Message
-------------------- ----------------------------------------------------------
08/23/2016 00:28:39 ANE4251W (Session: 52975, Node: ***) System Writer
file '\\***\c$\program files (x86)\symantec\symantec
endpoint protection\12.1.5337.5000.105\smclu\setup\smcin-
st.exe': not found. (SESSION: 52975)
08/24/2016 00:31:05 ANE4251W (Session: 3235, Node: *** ) System Writer file
'\\***\c$\program files (x86)\symantec\symantec
endpoint protection\12.1.5337.5000.105\smclu\setup\smcin-
st.exe': not found. (SESSION: 3235)

 

[opeth]

Still, the backup was successful and I wish i could have the "at risk" based on that.

Thanks for your help, guess ill have to work on clearing these.

 

[opeth]

As it was neither failed or missed.