Data Center Security

 View Only

  • 1.  DCS:SA agent is online but no events

    Posted Mar 14, 2017 07:17 AM

    I have a server where the DCS:SA agent is reporting online and can accept policy changes, eg. prevention policy - disabled. An event gets generated when I use "discover apps" and I see the entry.

    After a couple of days, I see that there are no events on the UMC portal or Java Console for the same server. Yet, when I logon to the  server and run the event viewer,

    events are logging but they are almost 12 days behind??? How is this possible? What is it with this agent? I have other agents that are working fine and reporting events.

    What can I do to resolve this issue -? Customer doesnt really want to re-install/uninstall and restart as its a critical server.

    Any suggestions.

    DCS:SA v. 6.6 MP1

    Thanks in advance for any help.



  • 2.  RE: DCS:SA agent is online but no events

    Broadcom Employee
    Posted Mar 14, 2017 07:30 AM

    is client configured for bulk log upload ?



  • 3.  RE: DCS:SA agent is online but no events

    Posted Mar 14, 2017 08:06 AM

    No, removed that option.



  • 4.  RE: DCS:SA agent is online but no events

    Posted Mar 14, 2017 09:52 AM

    Maybe Disk space restrictions in the common config? I usually change the stop logging option to 98% and restart logging option to 97%.



  • 5.  RE: DCS:SA agent is online but no events

    Posted Mar 15, 2017 01:37 AM

    Checked, plenty of disk space.
     



  • 6.  RE: DCS:SA agent is online but no events

    Posted Mar 15, 2017 10:22 AM

    It doesn't really matter if there is plenty of space. If it meets the threshold it will stop sending events. Try changing the settings to stop logging option to 98% and restart logging option to 97%.



  • 7.  RE: DCS:SA agent is online but no events

    Posted Mar 29, 2017 07:08 AM

    Just for clarity, you run the discover app and you see the event, then after a couple of days you check the event viewer on the local machine and it's only showing old events that are 12 days old or so. Just rying to understand, is the application discovery event visible in the management piece of the event viewer? It has to be, so does that mean it's specifically Prevention or Detection events that are not showing in the UMC?

    Sounds to me like it's most likely a space issue, as pointed out by Shane-at-Convencus or bulk logging, otherwise, are you sure the security group is configured correctly? And the machine hasn't  just been pushed out a null policy or an incorrect config file that is set to bulk log etc.



  • 8.  RE: DCS:SA agent is online but no events
    Best Answer

    Posted Mar 29, 2017 07:47 AM

    There was an issue with the agent. Had to re-install the agent and now reporting back. Also had the network guys check the infrastructure.