search cancel

Multiple Endpoint Security Linux agents report as one entry in cloud console

book

Article ID: 224817

calendar_today

Updated On:

Products

Endpoint Security

Issue/Introduction

Multiple SES (Symantec Endpoint Security) Linux agents report only as one entry in cloud console, e.g. you may have installed five agents but only the last one appears in the ICDm console (Integrated Cyber Defense Manager). 

This leads to the illusion that Linux agents are not checking in with cloud or are "disappearing" from the console, as this single entry will show only the name of last agent checked in.

Cause

Content of /etc/symantec/caf-shared/cafmachineid is "UNKNOWN" even though the OS returns a valid UUID (i.e "sudo dmidecode | grep -i uuid" returns a valid UUID)

There will also be "UNKNOWN" values in /opt/Symantec/cafagent/bin/CAFStorage.ini in [agent-details] section, e.g.

...
[agent-details]
uuid=UNKNOWN
authorized_agent=1
source_id=UNKNOWN
hardware_id=UNKNOWN
os-type=Linux
machine_id=UNKNOWN
..

Resolution

This issue has been fixed in SEP 14.3 RU4 (14.3.2417) Linux Agent. Upgrade to that version.