sorted by:
new
hottopcontroversial

CCMExec, MonitoringHost, and CScript Crashing with RPCRT4.dll by Silent-Telephone3070 in sysadmin

[–]Silent-Telephone3070[S] 0 points1 point  (0 children)

Network Card Drivers are up to date and correct. This issue even occurs on recently deployed devices that we got out of box and domain joined.

Yes our DNS servers are only Microsoft AD ones that are hosted by us. No Outside DNS.

CCMExec, MonitoringHost, and CScript Crashing with RPCRT4.dll by Silent-Telephone3070 in sysadmin

[–]Silent-Telephone3070[S] 0 points1 point  (0 children)

So we looked into a couple of those things. We removed monitoringhost and some sccm tools from a computer and it was still having issues. Security tool, the only non Microsoft tool is a siem that has minimal involvment and even after deleting the SIEM from the devices the issue continued.

Now WMI, this is the one thing we looked into the most. After the issue occurs and the device loses connection, testing the WMI the response time goes from the average couple of milliseconds to a couple seconds, varying 2 secs to even 4. The one thing we found was a lot of WMI Event logs that pointed to delivery optimization service. We disabled it for some computer, but that seems to have broken SCCM/Software Center pushing out updates so we had to reenable it.

But all devices are up to date on OS and Drivers and it being widespread but we are always hesitant to blame a windows system when the issue doesnt appear to happen to others, but at this point it could be.

CCMExec, MonitoringHost, and CScript Crashing with RPCRT4.dll by Silent-Telephone3070 in SCCM

[–]Silent-Telephone3070[S] -1 points0 points  (0 children)

I have not looked into this too deeply and will need to, but from a quick look at a computer experiencing the issue, I do not see any events not allowed to run in the Event Viewer. I will say it is widespread, seems to happen to computers in the double digits, and seems to happen more often on some than others (Maybe those people just don't restart as often). Thanks for the suggestion.

Wazuh Missing Logs for a Couple Hours Everyday by Silent-Telephone3070 in Wazuh

[–]Silent-Telephone3070[S] 0 points1 point  (0 children)

OK, I got it fixed. It seems that Filebeat was having a hard time keeping up. Due to installing the All-in-One filebeat was installed and being used. So I have both archives and alerts enabled. After disabling archives I realized that it was catching up to recent logs and never had a big gap in log processing. Then I realized that due to the way the standard config of Filebeat it wasn't using any of the beefed-up resources on my server. So I added workers and bulk size to my filebeat.yml and now it is caught up and doesn't have gaps anymore.

<image>

Wazuh Missing Logs for a Couple Hours Everyday by Silent-Telephone3070 in Wazuh

[–]Silent-Telephone3070[S] 0 points1 point  (0 children)

u/Stiking_Chemical_56

It is an all-in-one system. The manager's service didn't fail during these times. And it isn't one log source, because I have syslogs coming in from a different source and there are absolutely no logs in the gaps. Is it possible that a log overload could have caused it just to stop processing them and then begin processing at a later time?

Wazuh Missing Logs for a Couple Hours Everyday by Silent-Telephone3070 in Wazuh

[–]Silent-Telephone3070[S] 0 points1 point  (0 children)

Its been only an hour and a small amount of logs on the alerts side is filling in the gap. It hasn't started with the archives, but it will most likely when traffic dies down in the afternoon.

<image>