Video Screencast Help

SSIM Sensors and Collectors

Created: 22 Nov 2010 • Updated: 18 Jul 2011 | 6 comments
This issue has been solved. See solution.

Hi there,

I am using ssim 4.7.2 patch 1:

I have one server which have an agent. The agent collects from 3 different DC's (by the sensors) the events and pass it to the SSIM server. 

Almost every day we have a crash in the server and we don't know the answer to that. The average events per second is about the normail (moves between 200-1900 EPS).

When I watch the log on the server agent (on the server which collects from the DC's events), I get WARN masseges like that:

WARN 2010-11-14 08:04:42,895
Collectors.3105.wGroup.[workinggroup0].Sensor.[dc1] Thread-39883 Gap in event sequence was detected. Last record #121052380 was generated 2010.11.12 at 17:30:52 GMT+02:00, New record #121284489 was generated 2010.11.14 at 07:58:15 GMT+02:00
How can you solve my problem?
It means that I will have to install on each DC an agent?

Comments 6 CommentsJump to latest comment

BadBoo's picture

is this EPS per machine or overall? AFAIK the maximum EPS per collector is ~2200. So if your Windows machines generate larger amount of events per second - you'll need to install more collectors.

Normally the "Gap in event sequence was detected" warning is generated when the eventlog file was rolled over, that means you're losing events. To prevent this you should increase the maximum file size for EventLog, then during the non-working hours sensor will catch up events it was not able to collect in real-time.





kolik9's picture

The sum of the whole events are about 2000 (at the maximum) for all of the sensors!

Is there any way doing that in real time and not other way?

All I need to do is to go to the log and increase it to how much? And.. Do you mean by changing it in the config file? Which config file is that? (sesaeventacceptor? in the filesize=11600?)


BadBoo's picture

No, not by changing any Symantec-provided config file. I  meant the size for Windows Event Log which you can set after right-clicking at the EventLog in the Event Viewer. There's no recommended value as every environment has it's own specifics. Please try increasing the limit until the warning dissapears (and the size is reasonable). Google says the average event size is about 500 bytes. With your eventflow it means ~1Mb per second.

Other way is splitting the load between 2 collectors. This will help to provide realtime collection during peak hours.

Another reason for the warning you provided might be an event log corruption. Did you see something like

WARN  2009-09-04 14:36:30,492               Collectors.3105.wGroup.[workinggroup0].Sensor.[hostname]        Thread-124                ERROR in WindowsEventlog.dll: ERROR_CODE[1500]. failed with error: The event log file is corrupted.

before the WARN you pasted here in your log?



kolik9's picture

I have the following error codes:

This is from the first server agent:

ERROR_CODE[6]. failed with error: The handle is invalid.

ERROR_CODE[1722]. failed with error: The RPC server is unavaliable.

This is from the second server agent:

ERROR_CODE[1500]. failed with error: The event log dile is corrupted ->

Like you said! But if I open the event log in the sensor server than it's all fine and I can read!

ERROR_CODE[1203]. WNetAddConnection2 failed with error: No network provider accepted the given network path.

Every server collects events from 2-3 DC's in the domain.

BadBoo's picture

i don't know the reasons for corruption, but the error WNetAddConnection2 failed with error: No network provider accepted the given network path means that server you are trying to read from is inaccessible. May something happen to your server which brings it offline for some time? That could also be a reason for curruption.



kolik9's picture

I deleted the security log (%systemroot%) from the sensor server and it fixed part of it.

I have a lot of logs in the server and all I get is 1-2 lines every 2-3 hours and this is a DC server so I can't get only 2-3 INFO lines.. This is weird!

Do you have any reason why is that happened?