today we updated ESM to 11.0.3 and ESM does not show any new events, alerts etc... We have combo box 5600.
Jul 17 19:12:46 McAfee libJobServer.so: KafkaConsumer failed to consume from kafka broker 127.0.0.1:9092
Jul 17 19:12:47 McAfee IPSDBServer: Local: Message timed out
Jul 17 19:12:48 McAfee healthmon: Unknown Healthmon ID for V=1,S=3,@=2752,Process zookeeper is not running.
Jul 17 19:12:49 McAfee IPSDBServer: Alerts loaded to bus: Count=0, Resend Count=876962, last_time_event: 0
Jul 17 19:12:50 McAfee IPSDBServer: GetAlertsDirectForDatabus: Alarm source event not pushed, trying again...
and so on...
Receiver / ELM Properties shows Status: NotOK not running: kafkaconfigctl, zookeeper, brokers
Any help on this? thank you
just checked /var/log/kafkactl.log and it shows:
Jul 17 19:21:30 INFO |Starting Kafa Databus
Jul 17 19:21:30 L_ERROR 05704|/etc/NitroGuard/subscriptions_esm.conf does not exist!
Jul 17 19:22:29 INFO |This server is not ready to start the databus.
Jul 17 19:22:29 INFO |Exiting main loop.
Jul 17 19:22:29 L_INFO 05704|Waiting for broker(s) to shutdown
Jul 17 19:22:32 L_INFO 05704|Waiting for Zookeeper(s) to shutdown
if it helps...
Have you logged a call with McAfee support on this?
also did you run a write command on the data sources again and do a manual rules update after the upgrade? The rules update could help as it’s where all the parsers come from.
yep, I 'm aware of that, but it's not so easy let anyone access our siem, it's customer's siem, we are just supporting them. it'll be a long lasting process, so for that reason a decided to ask it here...
let me know when you free. i may have a fix for you to your problem. i replicated the same thing and now have a resolution.
check if the GUID ID of is the same in /etc/NitroGuard/devSettings.conf is the same as /etc/NitroGuard/cluster.conf?
We have same issue same problem. You can see output of /var/log/kafkactl.log file below. Could you help me
Aug 28 08:08:05 INFO |Exiting main loop.
Aug 28 08:08:05 L_INFO 01561|Waiting for broker(s) to shutdown
Aug 28 08:08:08 L_INFO 01561|Waiting for Zookeeper(s) to shutdown
Aug 28 08:08:11 INFO |Restarting service.
Aug 28 08:08:11 L_ERROR 01561|/etc/NitroGuard/subscriptions_rec.conf does not exist!
Aug 28 08:09:10 INFO |This server is not ready to start the databus.
can you review if the GUID in /etc/NitroGuard/devSettings.conf is different to the one in /etc/NitroGuard/cluster.conf?
if it is mine was fixed by coping the GUID from /etc/NitroGuard/devSettings.conf to /etc/NitroGuard/cluster.conf and restarting the services. that is the databus service.
so run service Databus restart. then if you monitor the kafkactl.log file it shouldnt show the brokers or zookeepers shutdown