2 Replies Latest reply on Jan 11, 2013 6:04 PM by artek

    Event Collector not connecting to ESM

    phoenix

      has anyone seen an issue where MEF is enabled on the receiver but the MEF Agent cannot connect to it? cannot even telnet to the port specified on the receiver, but I am able to telnet to ssh and HTTP/S ports, so do not think it is a network issue.

        • 1. Re: Event Collector not connecting to ESM
          Chris Boldiston

          Hi Phoenix

           

           

          I would check that you have written out the DataSource and Policy to the receiver. Also check the DataSource Interface tab to make sure that the MEF port is set correctly there.


          Then you should be able to run 'netstat -anp | grep <mef port number>` on the reciever and see it listening. In addistion you can run `iptables -nvL | grep <mef port>` and you should see a rule for your port and mef agent IP address listed.

           

          If those are there on the receiver and you still cannot connect it is pointing to a network issue.

           

          If you need further troubleshooting I recommend that you open a support ticket and we can help you resolve the issue.

           

           

          Thanks

           

           

          Chris

          • 2. Re: Event Collector not connecting to ESM
            artek

            Hi Phoenix,

             

            You can also try to run on the ERC following command:

             

            tcpdump -i <interface> port <mef port>

             

            (If you dont know which interface you shoud to use, try to 'ifconfig' command to see list of interfaces with its addresses.) For example:

             

            tcpdump -i eth0 port 8081

             

            and then - stop and start the Event Collector service. If it is not a network issue, you should see some traffic from data source (MEF Agent) to ERC.

             

             

            And next - if you are talking about Windows logs, the data source should be configured like this:

             

             

            MEF.PNG

             

            What is very important: the "Host ID" should be the same like the host name in the agent settings.

             

            Regards,

            Artur Sadownik