Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 28973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Duplicate IDs

marginos34

I just wanted to share the perl script i wrote to find duplciate unique IDs in Sophos. It scans the IIS logs looking for duplicate GUIDs.

#Stephen
#Check for Duplicates
use Data::Dumper;
$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();
open FILE, $file or die $!;
while (<FILE>)
{ 
@data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
#print $data[0] . "\n";
if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
{
if(not exists $hDup{$data[1]})
{
print $data[1] . "\n";
$hDup{$data[1]} = $data[1];
}
}
else
{
$hash{$data[2]} = $data[1];
}
}
close(FILE);

I have more info on my blog about it.

http://www.stephenjc.com/2011/08/23/sophos-duplicate-ids/

:20691


This thread was automatically locked due to age.
Parents
  • 0

    Ok then. Here's what I did (WARNING: you'll lose the computers' history and all associated events and statistics!):

    • add a (or use an existing) subscription of a different version - just enough different to force a major install, so any slightly backlevel should do
    • assign the appropriate updating policy to the dubious computers' group (it's probably better to do it for one "multi-identity" at a time)
    • locate the computer in the database, make note of its IdentityTag and when it complies with the new policy  delete (SQL DELETE) its record; it also disappears from the group
    • it takes some time after which more than one computer should appear in the Unassigned group
    • watch for the known identity to reappear (or, unlikely, a computer to reappear in the console group) - if so, repeat the applicable steps

    I can only guess how it works so I'll spare you my explanation (unless you really want it). I hope my recollection is correct. Use at your own risk.

    Christian

    :36973
Reply
  • 0

    Ok then. Here's what I did (WARNING: you'll lose the computers' history and all associated events and statistics!):

    • add a (or use an existing) subscription of a different version - just enough different to force a major install, so any slightly backlevel should do
    • assign the appropriate updating policy to the dubious computers' group (it's probably better to do it for one "multi-identity" at a time)
    • locate the computer in the database, make note of its IdentityTag and when it complies with the new policy  delete (SQL DELETE) its record; it also disappears from the group
    • it takes some time after which more than one computer should appear in the Unassigned group
    • watch for the known identity to reappear (or, unlikely, a computer to reappear in the console group) - if so, repeat the applicable steps

    I can only guess how it works so I'll spare you my explanation (unless you really want it). I hope my recollection is correct. Use at your own risk.

    Christian

    :36973
Children
No Data