I stumbled onto this article in the New Jersey Star Ledger about “Dell Hell”. This is funny considering today at work I had to threaten to use Tee Morris‘ phrase “podcast their a**” Though I did not say that to them specifically. We ordered memory for a PowerEdge 2650 server almost a month ago. My coworker struggled with our Dell rep to track it down. That pulled in another Dell employee. After the run around for a few days we find out someone canceled our order. Dell still has not said whom on their end did it. We sure didn’t. We need this memory for our email server. My coworker had enough when the new person in the mix from Dell gave her the run around asking for the PO Number. Yeah the one that was in the subject line of every email in the chain. Sheesh. Dell has just gotten so pathetic. We got a two month run round earlier this year just trying to order one desktop. Another time another coworker even emailed our rep’s boss and got no response and finally got our rep to reply. Earlier in 2006 I got the three week run around just trying to order a mini PCI wireless card for a desktop. This all would not be so sad if it were not for the fact that Dell goes through such trouble to slap Service Tags on everything. Ordering stuff should be as simple as citing the service tag, getting the quote for the right part, submitting the PO and getting your part a few days later. But it isn’t. Do yourself a favor and consider other vendors than Dell at least for another year. At least unless you can threaten to tell 2000+ IT admins via a podcast you cohost and eliminate Dell from your global employer as a vendor. All for a few sitcks of memory. It is the only way to make them take your money.
Oops almost forgot. I modified the dumpevt.ini file to change the date format to
DateFormat = yyyy-MM-dd
I have been having fun learning how to combine Dumpevt from Somarsoft and MS Log Parser. Let me say once you start to get the hang of it you can do some cool things. Also MS makes a great PDF for Security Event information. You can modify the below to make your own reports for those various IDs.
For example the below makes a CSV (comma seperated file) showing all user accounts who had EventID 644 lockouts the previous day. Download dumpevt, MS Log parser the header file I made all into a folder together. Then put the below commands into a bat file in the same folder. Remove my comments that are in bold.
- First we call dumpevt for three domain controllers. Obviously this bat file has to be executed as a user whom has rights to pull the logs remotely. Dumpevt will actually concatenate the dumps into one file.
dumpevt /computer=PDC /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC01 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC02 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
- Second we create a temp.csv file concatenating the header I provided with the output of the dumpevt calls.
type dumpevt-header.csv > temp.csv
type 644.csv >> temp.csv
- Next we call Log Parser. We tell it the input is in CSV format and the first row is the header. We specify what format we want the timestamps in for output. Next we select all fields, parse out the user account name where eventID is 644 and the date is the previous day. We go from temp.csv into a new file temp2.csv and have the output in date-time order.
LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT *, SUBSTR(EXTRACT_TOKEN(Strings, 1,’^’), 23) AS Account INTO temp2.csv FROM temp.csv WHERE EventID = 644 AND Date = TO_DATE(SUB( SYSTEM_TIMESTAMP(), TIMESTAMP(‘2’, ‘d’))) ORDER BY DATE, Time
- Last we run the temp2.csv through Log Parser once more. This will generate a csv file called 644report.csv with the columns Date, Time, Computer and the Account that was locked out. Note it drops all entries where the user account name is blank. This happens with some 644 events. I am not sure yet why but I am still teaching myself all about this log parsing and interpretation.
LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT DATE, TIME, Computer, Account INTO 644report.csv FROM temp2.csv WHERE STRLEN(Account) >1”
I have to say once you have the settings all tweaked out eTrust ITM works really well. It has cleaned a good bit of spyware off many high risk pcs such as customer service folks. The main things to watch are setting up multiple internal signature distribution servers, understanding how policy objects override at each branch then finally how the reporting frequency works. Also you need to understand that the poling for clients. The scan type discovery only works for v7.1 and r8 clients. If you are not seeing your older v7 and v6 clients make sured you are using a specified election for subnets remote to the admin server.
When installing the client with the remote install tool I also found you can cheat, do a silent install with no reboot forced. Just start the services on the PC and away you go.
Well after my lovely experience with CA support I actually got an email at work from the VP of Tech Support at CA. We had a really good conversation. He completely agreed that my experience should have been better than that. I did explain once I get a tech at CA I get my issue answered and more. It is just getting to one that is the problem. The new eTrust is working great (once installed on win2k3). I did have one followup experience with tech support since then. There was a minor question I had about the stat generation and event notification under the new version. I spent 35 mins on hold. Then I finally got a ring, then a beep then dead air. I sat there for a full minute and no one came on the line. I took the VP up on his offer to let him know of any future support experience. So I dropped him an email. I did explain it was not an emergency issue but I felt he could use data on the hold times etc in his efforts to gain more resources to improve support. He had a tech call me back shortly after the email. The tech was very helpful and answered all my questions.
The Support VP told me they were working full steam on replacing that horror of a web site. Maybe even opening it back up to the public. After all I know I and other friends browse support forums prior to making purchasing decisions. Every product has its issues. But knowing what they are and how freely options are can still justify going forward with a product.
I have been using CA products for nearly 10 years. I remember when what is now eTrust and Brightstor were Inoculan and Arcserve. They came in brown boxes back then. I probably know more than the second tier support if not some of the third. Yet when I updated to r8 eTrust ITM (Integrated Threat Management) I found ITM hates windows NT 4.0. Yeah I know that is an old platform but I was not ready to move my admin console to a new box and just wanted to upgrade in place to keep all my settings. Of course after the first round of udpates ITM eats itself on NT. So I call CA for support. After all I pay for maintenance. I sat on hold for thirty minutes. The message does nothing to tell you how much longer you have to wait. So being busy I hung up and called back. I asked for a call back position on the list. Two and a half hours later… Nothing. NADA. I call back and am told they are picking up from the queue quickly. OK then why the heck was I not called back?!? So I go into the queue again. Five minutes and I get a person. He puts me on hold to look up my information even though I provided my site ID. Fifteen minutes later I am hearing some odd ring back tone. Five minutes of that and I hang up. I call back to the support number and insist on a call back. Any guesses when I got it? That is right 24 hours later. After four reloads with the last one being as just a signature distribution server so all my clients remain protected. That finally worked. Of course it lost all my settings. Though easy enough to redo it is still frustrating. Why could they not provide a export settings feature? When they finally called back the lady was nice enough but I told her straight up too late. I solved it myself by moving to a 2003 server box.
Don’t even get me started on how bad their support web site sucks. Takes 20 minutes to find anything. I even remember when they changed it to the atrocity it is now. You cannot find documents in the knowledge base I know were there before.
Good products do not mean great support and in the end can motivate someone to change the platform for an entire enterprise. CA would do well to remember even IT guys want decent support like any user.
Oh my lordy. I finally got a Sony 32″ HD LCD TV today over at Sams. My old 27″ TV tuner went out and we had about 6 working channels. So for fun I am trying out my xbox 360 as a DVD player hooked up via the HD cable. What a difference the picture has in HD. I had long ago bought a Xbox Media Center Universal Remote to use with my 360 once I get it running as an extender to my HP z545 Media Center. Unfortunately the same thing that knocked out my tv blasted the power supply in my z545. The replacement should be here tomorrow. But in the mean time if you need the tv codes to program your xbox remote they can be found here.
Well finally had to reload my Thinkpad R40 from scratch. WindowsXP lost its mind. For those whom are curious here is a list of what I loaded back onto it once I was done with the Lenovo and Windows updates.
Loaded on my freshly redone forensics laptop
- FTK Ultimate Toolkit from Access Data – http://www.accessdata.com/
- CA AntivirusV 7.1
- Paraben P2X Explorer – http://paraben.com/
- Live View http://liveview.sourceforge.net/
- Cain and Abel – http://www.oxid.it
- Irfranview- http://www.irfanview.com/
- Office 2003
- PDF Creator – http://sourceforge.net/projects/pdfcreator/
- Adobe Reader v7
- Winhex – http://www.x-ways.net/winhex/
- Passware – http://www.lostpassword.com/
- Datalifter v2 – http://www.datalifter.com/products.htm
- ISO Buster – http://www.isobuster.com/